blob: 1f5202ec02715d1bc245174589ab96d1fa414d82 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
From 035bb16845537351e1bccb16d38981754fd53129 Mon Sep 17 00:00:00 2001
From: Lee Duncan <lduncan@suse.com>
Date: Fri, 15 Dec 2017 10:37:56 -0800
Subject: [PATCH 2/7] iscsiuio should ignore bogus iscsid broadcast packets
When iscsiuio is receiving broadcast packets from iscsid,
if the 'payload_len', carried in the packet, is too
large then ignore the packet and print a message.
Found by Qualsys.
CVE: CVE-2017-17840
Upstream-Status: Backport
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
iscsiuio/src/unix/iscsid_ipc.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c
index 08e49e5..dfdae63 100644
--- a/iscsiuio/src/unix/iscsid_ipc.c
+++ b/iscsiuio/src/unix/iscsid_ipc.c
@@ -950,6 +950,12 @@ int process_iscsid_broadcast(int s2)
cmd = data->header.command;
payload_len = data->header.payload_len;
+ if (payload_len > sizeof(data->u)) {
+ LOG_ERR(PFX "Data payload length too large (%d). Corrupt payload?",
+ payload_len);
+ rc = -EINVAL;
+ goto error;
+ }
LOG_DEBUG(PFX "recv iscsid request: cmd: %d, payload_len: %d",
cmd, payload_len);
--
1.9.1
|