From: Hannes Reinecke <hare@suse.de>
To: "Nicholas A. Bellinger" <nab@linux-iscsi.org>
Cc: Nic Bellinger <nab@daterainc.com>,
target-devel@vger.kernel.org, linux-scsi@vger.kernel.org
Subject: Re: [PATCH 2/2] target_core_spc: bounds check for spc_emulate_inquiry()
Date: Fri, 20 Dec 2013 07:47:25 +0100 [thread overview]
Message-ID: <52B3E7FD.9030504@suse.de> (raw)
In-Reply-To: <1387491087.5567.62.camel@haakon3.risingtidesystems.com>
On 12/19/2013 11:11 PM, Nicholas A. Bellinger wrote:
> On Thu, 2013-12-19 at 14:36 +0100, Hannes Reinecke wrote:
>> Instead of using a static buffer for inquiry data we should
>> rather use the command-provided buffer and implement proper
>> bounds checking when writing to it.
>> Inquiry is by no means time-critical ...
>>
>> Signed-off-by: Hannes Reinecke <hare@suse.de>
>> ---
>> drivers/target/target_core_spc.c | 391 +++++++++++++++++++++--------------
>> include/target/target_core_backend.h | 2 +-
>> 2 files changed, 235 insertions(+), 158 deletions(-)
>>
>
> Mmmmm, so this used to be the case once upon a time, and was changed to
> the current local buffer copy + possible truncate for simplicities sake.
>
> I still favor the copy to an oversized local buffer vs. adding explicit
> size checks to every possible assignment..
>
> How about changing the local buffer to heap memory instead, and bumping
> SE_INQUIRY_BUF to 1024 bytes..?
>
Ok. But then we should have a quick check at the start
if (cmd->data_length > SE_INQUIRY_BUF)
len = cmd->data_length
else
len = SE_INQUIRY_BUF
to catch oversized requests.
Cheers,
Hannes
--
Dr. Hannes Reinecke zSeries & Storage
hare@suse.de +49 911 74053 688
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: J. Hawn, J. Guild, F. Imendörffer, HRB 16746 (AG Nürnberg)
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2013-12-20 6:47 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-19 13:36 [PATCH 0/2] Handle data underflow Hannes Reinecke
2013-12-19 13:36 ` [PATCH 1/2] target_core_alua: check for buffer overflow Hannes Reinecke
2013-12-19 21:43 ` Nicholas A. Bellinger
2013-12-19 13:36 ` [PATCH 2/2] target_core_spc: bounds check for spc_emulate_inquiry() Hannes Reinecke
2013-12-19 22:11 ` Nicholas A. Bellinger
2013-12-20 6:47 ` Hannes Reinecke [this message]
2013-12-20 22:53 ` Paolo Bonzini
2013-12-22 2:53 ` Nicholas A. Bellinger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52B3E7FD.9030504@suse.de \
--to=hare@suse.de \
--cc=linux-scsi@vger.kernel.org \
--cc=nab@daterainc.com \
--cc=nab@linux-iscsi.org \
--cc=target-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).