diff options
Diffstat (limited to 'meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch')
-rw-r--r-- | meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch new file mode 100644 index 0000000000..c63c0a8d56 --- /dev/null +++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch @@ -0,0 +1,64 @@ +From 5df60ad8b22194391af34c1a7e54776b0372ffed Mon Sep 17 00:00:00 2001 +From: Lee Duncan <lduncan@suse.com> +Date: Fri, 15 Dec 2017 11:21:15 -0800 +Subject: [PATCH 7/7] Check iscsiuio ping data length for validity + +We do not trust that the received ping packet data length +is correct, so sanity check it. Found by Qualsys. + +CVE: CVE-2017-17840 + +Upstream-Status: Backport + +Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> +--- + iscsiuio/src/unix/iscsid_ipc.c | 5 +++++ + iscsiuio/src/unix/packet.c | 2 +- + iscsiuio/src/unix/packet.h | 2 ++ + 3 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c +index 85742da..a2caacc 100644 +--- a/iscsiuio/src/unix/iscsid_ipc.c ++++ b/iscsiuio/src/unix/iscsid_ipc.c +@@ -333,6 +333,11 @@ static void *perform_ping(void *arg) + + data = (iscsid_uip_broadcast_t *)png_c->data; + datalen = data->u.ping_rec.datalen; ++ if ((datalen > STD_MTU_SIZE) || (datalen < 0)) { ++ LOG_ERR(PFX "Ping datalen invalid: %d", datalen); ++ rc = -EINVAL; ++ goto ping_done; ++ } + + memset(dst_addr, 0, sizeof(uip_ip6addr_t)); + if (nic_iface->protocol == AF_INET) { +diff --git a/iscsiuio/src/unix/packet.c b/iscsiuio/src/unix/packet.c +index ecea09b..3ce2c6b 100644 +--- a/iscsiuio/src/unix/packet.c ++++ b/iscsiuio/src/unix/packet.c +@@ -112,7 +112,7 @@ int alloc_free_queue(nic_t *nic, size_t num_of_packets) + for (i = 0; i < num_of_packets; i++) { + packet_t *pkt; + +- pkt = alloc_packet(1500, 1500); ++ pkt = alloc_packet(STD_MTU_SIZE, STD_MTU_SIZE); + if (pkt == NULL) { + goto done; + } +diff --git a/iscsiuio/src/unix/packet.h b/iscsiuio/src/unix/packet.h +index b63d688..19d1db9 100644 +--- a/iscsiuio/src/unix/packet.h ++++ b/iscsiuio/src/unix/packet.h +@@ -43,6 +43,8 @@ + + #include "nic.h" + ++#define STD_MTU_SIZE 1500 ++ + struct nic; + struct nic_interface; + +-- +1.9.1 + |