diff options
Diffstat (limited to 'meta-networking/recipes-daemons/iscsi-initiator-utils/files/0004-Do-not-double-close-IPC-file-stream-to-iscsid.patch')
-rw-r--r-- | meta-networking/recipes-daemons/iscsi-initiator-utils/files/0004-Do-not-double-close-IPC-file-stream-to-iscsid.patch | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0004-Do-not-double-close-IPC-file-stream-to-iscsid.patch b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0004-Do-not-double-close-IPC-file-stream-to-iscsid.patch new file mode 100644 index 0000000000..274722c231 --- /dev/null +++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0004-Do-not-double-close-IPC-file-stream-to-iscsid.patch @@ -0,0 +1,62 @@ +From 8167e5ce99682f64918a20966ce393cd33ac67ef Mon Sep 17 00:00:00 2001 +From: Lee Duncan <lduncan@suse.com> +Date: Fri, 15 Dec 2017 11:13:29 -0800 +Subject: [PATCH 4/7] Do not double-close IPC file stream to iscsid + +A double-close of a file descriptor and its associated FILE stream +can be an issue in multi-threaded cases. Found by Qualsys. + +CVE: CVE-2017-17840 + +Upstream-Status: Backport + +Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> +--- + iscsiuio/src/unix/iscsid_ipc.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c +index 61e96cc..bde8d66 100644 +--- a/iscsiuio/src/unix/iscsid_ipc.c ++++ b/iscsiuio/src/unix/iscsid_ipc.c +@@ -913,6 +913,9 @@ early_exit: + /** + * process_iscsid_broadcast() - This function is used to process the + * broadcast messages from iscsid ++ * ++ * s2 is an open file descriptor, which ++ * must not be left open upon return + */ + int process_iscsid_broadcast(int s2) + { +@@ -928,6 +931,7 @@ int process_iscsid_broadcast(int s2) + if (fd == NULL) { + LOG_ERR(PFX "Couldn't open file descriptor: %d(%s)", + errno, strerror(errno)); ++ close(s2); + return -EIO; + } + +@@ -1030,7 +1034,8 @@ int process_iscsid_broadcast(int s2) + } + + error: +- free(data); ++ if (data) ++ free(data); + fclose(fd); + + return rc; +@@ -1132,8 +1137,8 @@ static void *iscsid_loop(void *arg) + break; + } + ++ /* this closes the file descriptor s2 */ + process_iscsid_broadcast(s2); +- close(s2); + } + + pthread_cleanup_pop(0); +-- +1.9.1 + |