Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cea4dcfd authored by Kees Cook's avatar Kees Cook Committed by Nicholas Bellinger
Browse files

iscsi-target: fix heap buffer overflow on error 



If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
error response packet, generated by iscsi_add_notunderstood_response(),
would still attempt to copy the entire key into the packet, overflowing
the structure on the heap.

Remote preauthentication kernel memory corruption was possible if a
target was configured and listening on the network.

CVE-2013-2850

Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
parent 21363ca8

drivers/target/iscsi/iscsi_target_parameters.c

+3 −5
Original line number Diff line number Diff line
@@ -758,9 +758,9 @@ static int iscsi_add_notunderstood_response( 
	}

	INIT_LIST_HEAD(&extra_response->er_list);



	strncpy(extra_response->key, key, strlen(key) + 1);

	strncpy(extra_response->value, NOTUNDERSTOOD,

			strlen(NOTUNDERSTOOD) + 1);

	strlcpy(extra_response->key, key, sizeof(extra_response->key));

	strlcpy(extra_response->value, NOTUNDERSTOOD,

		sizeof(extra_response->value));



	list_add_tail(&extra_response->er_list,

			&param_list->extra_response_list);
@@ -1629,8 +1629,6 @@ int iscsi_decode_text_input( 


		if (phase & PHASE_SECURITY) {

			if (iscsi_check_for_auth_key(key) > 0) {

				char *tmpptr = key + strlen(key);

				*tmpptr = '=';

				kfree(tmpbuf);

				return 1;

			}

drivers/target/iscsi/iscsi_target_parameters.h

+3 −1
Original line number Diff line number Diff line 
#ifndef ISCSI_PARAMETERS_H

#define ISCSI_PARAMETERS_H



#include <scsi/iscsi_proto.h>



struct iscsi_extra_response {

	char key[64];

	char key[KEY_MAXLEN];

	char value[32];

	struct list_head er_list;

} ____cacheline_aligned;