diff options
| author | Kees Cook <keescook@chromium.org> | 2013-05-23 13:32:17 -0400 |
|---|---|---|
| committer | Nicholas Bellinger <nab@linux-iscsi.org> | 2013-05-30 21:07:54 -0400 |
| commit | cea4dcfdad926a27a18e188720efe0f2c9403456 (patch) | |
| tree | 7ae6fd132bbd1e7cd888dcaae6946cecfd20a2e1 | |
| parent | 21363ca873334391992f2f424856aa864345bb61 (diff) | |
iscsi-target: fix heap buffer overflow on error
If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
error response packet, generated by iscsi_add_notunderstood_response(),
would still attempt to copy the entire key into the packet, overflowing
the structure on the heap.
Remote preauthentication kernel memory corruption was possible if a
target was configured and listening on the network.
CVE-2013-2850
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
| -rw-r--r-- | drivers/target/iscsi/iscsi_target_parameters.c | 8 | ||||
| -rw-r--r-- | drivers/target/iscsi/iscsi_target_parameters.h | 4 |
2 files changed, 6 insertions, 6 deletions
diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c index c2185fc31136..e38222191a33 100644 --- a/drivers/target/iscsi/iscsi_target_parameters.c +++ b/drivers/target/iscsi/iscsi_target_parameters.c | |||
| @@ -758,9 +758,9 @@ static int iscsi_add_notunderstood_response( | |||
| 758 | } | 758 | } |
| 759 | INIT_LIST_HEAD(&extra_response->er_list); | 759 | INIT_LIST_HEAD(&extra_response->er_list); |
| 760 | 760 | ||
| 761 | strncpy(extra_response->key, key, strlen(key) + 1); | 761 | strlcpy(extra_response->key, key, sizeof(extra_response->key)); |
| 762 | strncpy(extra_response->value, NOTUNDERSTOOD, | 762 | strlcpy(extra_response->value, NOTUNDERSTOOD, |
| 763 | strlen(NOTUNDERSTOOD) + 1); | 763 | sizeof(extra_response->value)); |
| 764 | 764 | ||
| 765 | list_add_tail(&extra_response->er_list, | 765 | list_add_tail(&extra_response->er_list, |
| 766 | ¶m_list->extra_response_list); | 766 | ¶m_list->extra_response_list); |
| @@ -1629,8 +1629,6 @@ int iscsi_decode_text_input( | |||
| 1629 | 1629 | ||
| 1630 | if (phase & PHASE_SECURITY) { | 1630 | if (phase & PHASE_SECURITY) { |
| 1631 | if (iscsi_check_for_auth_key(key) > 0) { | 1631 | if (iscsi_check_for_auth_key(key) > 0) { |
| 1632 | char *tmpptr = key + strlen(key); | ||
| 1633 | *tmpptr = '='; | ||
| 1634 | kfree(tmpbuf); | 1632 | kfree(tmpbuf); |
| 1635 | return 1; | 1633 | return 1; |
| 1636 | } | 1634 | } |
diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h index 915b06798505..a47046a752aa 100644 --- a/drivers/target/iscsi/iscsi_target_parameters.h +++ b/drivers/target/iscsi/iscsi_target_parameters.h | |||
| @@ -1,8 +1,10 @@ | |||
| 1 | #ifndef ISCSI_PARAMETERS_H | 1 | #ifndef ISCSI_PARAMETERS_H |
| 2 | #define ISCSI_PARAMETERS_H | 2 | #define ISCSI_PARAMETERS_H |
| 3 | 3 | ||
| 4 | #include <scsi/iscsi_proto.h> | ||
| 5 | |||
| 4 | struct iscsi_extra_response { | 6 | struct iscsi_extra_response { |
| 5 | char key[64]; | 7 | char key[KEY_MAXLEN]; |
| 6 | char value[32]; | 8 | char value[32]; |
| 7 | struct list_head er_list; | 9 | struct list_head er_list; |
| 8 | } ____cacheline_aligned; | 10 | } ____cacheline_aligned; |