* potential buffer overrun in __iscsi_conn_send_pdu()
@ 2013-06-24 15:46 Dan Carpenter
2014-09-01 18:06 ` Dan Carpenter
0 siblings, 1 reply; 3+ messages in thread
From: Dan Carpenter @ 2013-06-24 15:46 UTC (permalink / raw)
To: michaelc; +Cc: linux-scsi
My static checker complains about a possible array overflow in
__iscsi_conn_send_pdu().
drivers/scsi/libiscsi.c
743 if (data_size) {
744 memcpy(task->data, data, data_size);
745 task->data_count = data_size;
746 } else
747 task->data_count = 0;
748
"data_size" comes from skb->data and we haven't checked that it is less
than ISCSI_DEF_MAX_RECV_SEG_LEN (8192).
The call tree is:
iscsi_if_recv_msg()
iscsi_conn_send_pdu()
__iscsi_conn_send_pdu()
I'm a newbie to this code, so I'm not sure if this is a real bug or not.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: potential buffer overrun in __iscsi_conn_send_pdu()
2013-06-24 15:46 potential buffer overrun in __iscsi_conn_send_pdu() Dan Carpenter
@ 2014-09-01 18:06 ` Dan Carpenter
2014-09-02 3:22 ` Mike Christie
0 siblings, 1 reply; 3+ messages in thread
From: Dan Carpenter @ 2014-09-01 18:06 UTC (permalink / raw)
To: michaelc; +Cc: linux-scsi, Kees Cook
I never heard back on this. It still looks like a very serious bug
with security implications etc.
regards,
dan carpenter
On Mon, Jun 24, 2013 at 06:46:31PM +0300, Dan Carpenter wrote:
> My static checker complains about a possible array overflow in
> __iscsi_conn_send_pdu().
>
> drivers/scsi/libiscsi.c
> 743 if (data_size) {
> 744 memcpy(task->data, data, data_size);
> 745 task->data_count = data_size;
> 746 } else
> 747 task->data_count = 0;
> 748
>
> "data_size" comes from skb->data and we haven't checked that it is less
> than ISCSI_DEF_MAX_RECV_SEG_LEN (8192).
>
> The call tree is:
> iscsi_if_recv_msg()
> iscsi_conn_send_pdu()
> __iscsi_conn_send_pdu()
>
> I'm a newbie to this code, so I'm not sure if this is a real bug or not.
>
> regards,
> dan carpenter
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: potential buffer overrun in __iscsi_conn_send_pdu()
2014-09-01 18:06 ` Dan Carpenter
@ 2014-09-02 3:22 ` Mike Christie
0 siblings, 0 replies; 3+ messages in thread
From: Mike Christie @ 2014-09-02 3:22 UTC (permalink / raw)
To: Dan Carpenter; +Cc: linux-scsi, Kees Cook
On 9/1/14, 1:06 PM, Dan Carpenter wrote:
> I never heard back on this. It still looks like a very serious bug
> with security implications etc.
>
Sorry about that. I must have missed the original. You are right. I
should have a tested patch by tomorrow.
> regards,
> dan carpenter
>
> On Mon, Jun 24, 2013 at 06:46:31PM +0300, Dan Carpenter wrote:
>> My static checker complains about a possible array overflow in
>> __iscsi_conn_send_pdu().
>>
>> drivers/scsi/libiscsi.c
>> 743 if (data_size) {
>> 744 memcpy(task->data, data, data_size);
>> 745 task->data_count = data_size;
>> 746 } else
>> 747 task->data_count = 0;
>> 748
>>
>> "data_size" comes from skb->data and we haven't checked that it is less
>> than ISCSI_DEF_MAX_RECV_SEG_LEN (8192).
>>
>> The call tree is:
>> iscsi_if_recv_msg()
>> iscsi_conn_send_pdu()
>> __iscsi_conn_send_pdu()
>>
>> I'm a newbie to this code, so I'm not sure if this is a real bug or not.
>>
>> regards,
>> dan carpenter
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-09-02 3:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-06-24 15:46 potential buffer overrun in __iscsi_conn_send_pdu() Dan Carpenter
2014-09-01 18:06 ` Dan Carpenter
2014-09-02 3:22 ` Mike Christie
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox