From 5df60ad8b22194391af34c1a7e54776b0372ffed Mon Sep 17 00:00:00 2001 From: Lee Duncan Date: Fri, 15 Dec 2017 11:21:15 -0800 Subject: [PATCH 7/7] Check iscsiuio ping data length for validity We do not trust that the received ping packet data length is correct, so sanity check it. Found by Qualsys. CVE: CVE-2017-17840 Upstream-Status: Backport Signed-off-by: Zhixiong Chi --- iscsiuio/src/unix/iscsid_ipc.c | 5 +++++ iscsiuio/src/unix/packet.c | 2 +- iscsiuio/src/unix/packet.h | 2 ++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c index 85742da..a2caacc 100644 --- a/iscsiuio/src/unix/iscsid_ipc.c +++ b/iscsiuio/src/unix/iscsid_ipc.c @@ -333,6 +333,11 @@ static void *perform_ping(void *arg) data = (iscsid_uip_broadcast_t *)png_c->data; datalen = data->u.ping_rec.datalen; + if ((datalen > STD_MTU_SIZE) || (datalen < 0)) { + LOG_ERR(PFX "Ping datalen invalid: %d", datalen); + rc = -EINVAL; + goto ping_done; + } memset(dst_addr, 0, sizeof(uip_ip6addr_t)); if (nic_iface->protocol == AF_INET) { diff --git a/iscsiuio/src/unix/packet.c b/iscsiuio/src/unix/packet.c index ecea09b..3ce2c6b 100644 --- a/iscsiuio/src/unix/packet.c +++ b/iscsiuio/src/unix/packet.c @@ -112,7 +112,7 @@ int alloc_free_queue(nic_t *nic, size_t num_of_packets) for (i = 0; i < num_of_packets; i++) { packet_t *pkt; - pkt = alloc_packet(1500, 1500); + pkt = alloc_packet(STD_MTU_SIZE, STD_MTU_SIZE); if (pkt == NULL) { goto done; } diff --git a/iscsiuio/src/unix/packet.h b/iscsiuio/src/unix/packet.h index b63d688..19d1db9 100644 --- a/iscsiuio/src/unix/packet.h +++ b/iscsiuio/src/unix/packet.h @@ -43,6 +43,8 @@ #include "nic.h" +#define STD_MTU_SIZE 1500 + struct nic; struct nic_interface; -- 1.9.1