From 035bb16845537351e1bccb16d38981754fd53129 Mon Sep 17 00:00:00 2001
From: Lee Duncan <lduncan@suse.com>
Date: Fri, 15 Dec 2017 10:37:56 -0800
Subject: [PATCH 2/7] iscsiuio should ignore bogus iscsid broadcast packets

When iscsiuio is receiving broadcast packets from iscsid,
if the 'payload_len', carried in the packet, is too
large then ignore the packet and print a message.
Found by Qualsys.

CVE: CVE-2017-17840

Upstream-Status: Backport

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
 iscsiuio/src/unix/iscsid_ipc.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c
index 08e49e5..dfdae63 100644
--- a/iscsiuio/src/unix/iscsid_ipc.c
+++ b/iscsiuio/src/unix/iscsid_ipc.c
@@ -950,6 +950,12 @@ int process_iscsid_broadcast(int s2)
 
 	cmd = data->header.command;
 	payload_len = data->header.payload_len;
+	if (payload_len > sizeof(data->u)) {
+		LOG_ERR(PFX "Data payload length too large (%d). Corrupt payload?",
+				payload_len);
+		rc = -EINVAL;
+		goto error;
+	}
 
 	LOG_DEBUG(PFX "recv iscsid request: cmd: %d, payload_len: %d",
 		  cmd, payload_len);
-- 
1.9.1