diff options
| author |   Zhixiong Chi <zhixiong.chi@windriver.com> | 2018-01-04 02:52:14 -0800 |
|---|---|---|
| committer |   Armin Kuster <akuster808@gmail.com> | 2018-10-15 12:50:46 -0700 |
| commit | 59c43205f13c0e61b44eb42ffbf2af6cbfd3e6c0 (patch) | |
| tree | f31fe9352b14cf0fea61f6e594e18e1885996739 /meta-networking/recipes-daemons/iscsi-initiator-utils/files/0005-Ensure-strings-from-peer-are-copied-correctly.patch | |
| parent | 1b5bafb1127c96f5d6c071c413d4339f625a9573 (diff) | |
| download | meta-openembedded-contrib-stable/rocko-nmut.tar.gz | |
iscsi-initiator-utils: CVE-2017-17840stable/rocko-nmut
Backport CVE patches from the github upstream:
https://github.com/open-iscsi/open-iscsi
commit as follows:
e313bd648a4c8a9526421e270eb597a5de1e0c7f
b9c33683bdc0aed28ffe31c3f3d50bf5cdf519ea
be58eed849f5457bb49b79e94aa6a26971ba6deb
5504053cc08df38d8d85032fa1691e363dfcfb92
85f647c4300a888bb6cbc27f33138549cab617e3
a7a96131bd2ea342f6def0e46be514baf8037ae8
59ede2cf4eee8729a4221000a5d1ecdd312a31ac
https://nvd.nist.gov/vuln/detail/CVE-2017-17840
A local attacker can cause the iscsiuio server to abort or potentially
execute code by sending messages with incorrect lengths, which (due to
lack of checking) can lead to buffer overflows, and result in aborts
(with overflow checking enabled) or code execution.
The process_iscsid_broadcast function in iscsiuio/src/unix/iscsid_ipc.c
does not validate the payload length before a write operation
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
(cherry picked from commit fdd3c62df9f4cb4e263aca4ab426ae9f88b29912)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-networking/recipes-daemons/iscsi-initiator-utils/files/0005-Ensure-strings-from-peer-are-copied-correctly.patch')
| -rw-r--r-- | meta-networking/recipes-daemons/iscsi-initiator-utils/files/0005-Ensure-strings-from-peer-are-copied-correctly.patch | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0005-Ensure-strings-from-peer-are-copied-correctly.patch b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0005-Ensure-strings-from-peer-are-copied-correctly.patch new file mode 100644 index 0000000000..b73b01120e --- /dev/null +++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0005-Ensure-strings-from-peer-are-copied-correctly.patch @@ -0,0 +1,78 @@ +From c9fc86a50459776d9a7abb609f6503c57d69e034 Mon Sep 17 00:00:00 2001 +From: Lee Duncan <lduncan@suse.com> +Date: Fri, 15 Dec 2017 11:15:26 -0800 +Subject: [PATCH 5/7] Ensure strings from peer are copied correctly. + +The method of using strlen() and strcpy()/strncpy() has +a couple of holes. Do not try to measure the length of +strings supplied from peer, and ensure copied strings are +NULL-terminated. Use the new strlcpy() instead. +Found by Qualsys. + +CVE: CVE-2017-17840 + +Upstream-Status: Backport + +Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> +--- + iscsiuio/src/unix/iscsid_ipc.c | 24 ++++++------------------ + 1 file changed, 6 insertions(+), 18 deletions(-) + +diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c +index bde8d66..52ae8c6 100644 +--- a/iscsiuio/src/unix/iscsid_ipc.c ++++ b/iscsiuio/src/unix/iscsid_ipc.c +@@ -152,10 +152,7 @@ static int decode_cidr(char *in_ipaddr_str, struct iface_rec_decode *ird) + struct in_addr ia; + struct in6_addr ia6; + +- if (strlen(in_ipaddr_str) > NI_MAXHOST) +- strncpy(ipaddr_str, in_ipaddr_str, NI_MAXHOST); +- else +- strcpy(ipaddr_str, in_ipaddr_str); ++ strlcpy(ipaddr_str, in_ipaddr_str, NI_MAXHOST); + + /* Find the CIDR if any */ + tmp = strchr(ipaddr_str, '/'); +@@ -287,22 +284,16 @@ static int decode_iface(struct iface_rec_decode *ird, struct iface_rec *rec) + + /* For LL on, ignore the IPv6 addr in the iface */ + if (ird->linklocal_autocfg == IPV6_LL_AUTOCFG_OFF) { +- if (strlen(rec->ipv6_linklocal) > NI_MAXHOST) +- strncpy(ipaddr_str, rec->ipv6_linklocal, +- NI_MAXHOST); +- else +- strcpy(ipaddr_str, rec->ipv6_linklocal); ++ strlcpy(ipaddr_str, rec->ipv6_linklocal, ++ NI_MAXHOST); + inet_pton(AF_INET6, ipaddr_str, + &ird->ipv6_linklocal); + } + + /* For RTR on, ignore the IPv6 addr in the iface */ + if (ird->router_autocfg == IPV6_RTR_AUTOCFG_OFF) { +- if (strlen(rec->ipv6_router) > NI_MAXHOST) +- strncpy(ipaddr_str, rec->ipv6_router, +- NI_MAXHOST); +- else +- strcpy(ipaddr_str, rec->ipv6_router); ++ strlcpy(ipaddr_str, rec->ipv6_router, ++ NI_MAXHOST); + inet_pton(AF_INET6, ipaddr_str, + &ird->ipv6_router); + } +@@ -316,10 +307,7 @@ static int decode_iface(struct iface_rec_decode *ird, struct iface_rec *rec) + calculate_default_netmask( + ird->ipv4_addr.s_addr); + +- if (strlen(rec->gateway) > NI_MAXHOST) +- strncpy(ipaddr_str, rec->gateway, NI_MAXHOST); +- else +- strcpy(ipaddr_str, rec->gateway); ++ strlcpy(ipaddr_str, rec->gateway, NI_MAXHOST); + inet_pton(AF_INET, ipaddr_str, &ird->ipv4_gateway); + } + } else { +-- +1.9.1 + |