| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1367624456.21785.2.camel@haakon3.risingtidesystems.com>
Date: Fri, 03 May 2013 16:40:56 -0700
From: "Nicholas A. Bellinger" <nab@...ux-iscsi.org>
To: Geert Uytterhoeven <geert@...ux-m68k.org>
Cc: target-devel <target-devel@...r.kernel.org>,
linux-rdma <linux-rdma@...r.kernel.org>,
linux-scsi <linux-scsi@...r.kernel.org>,
linux-kernel <linux-kernel@...r.kernel.org>,
Roland Dreier <roland@...nel.org>,
Or Gerlitz <ogerlitz@...lanox.com>,
Alexander Nezhinsky <alexandern@...lanox.com>
Subject: Re: [RFC-v4 7/9] iscsi-target: Refactor TX queue logic + export
response PDU creation
On Fri, 2013-05-03 at 23:04 +0200, Geert Uytterhoeven wrote:
> Hi Nicholas,
>
> On Fri, Apr 12, 2013 at 10:52 PM, Nicholas A. Bellinger
> <nab@...ux-iscsi.org> wrote:
> > --- a/drivers/target/iscsi/iscsi_target.c
> > +++ b/drivers/target/iscsi/iscsi_target.c
>
> > static int iscsit_send_reject(
> > struct iscsi_cmd *cmd,
> > struct iscsi_conn *conn)
> > @@ -3505,18 +3548,9 @@ static int iscsit_send_reject(
> > struct iscsi_reject *hdr;
> > struct kvec *iov;
> >
> > - hdr = (struct iscsi_reject *) cmd->pdu;
>
> Woops, and now hdr is no longer initialized:
>
> drivers/target/iscsi/iscsi_target.c: In function ‘iscsit_send_reject’:
> drivers/target/iscsi/iscsi_target.c:3577: warning: ‘hdr’ is used
> uninitialized in this function
>
> > - hdr->opcode = ISCSI_OP_REJECT;
> > - hdr->flags |= ISCSI_FLAG_CMD_FINAL;
> > - hton24(hdr->dlength, ISCSI_HDR_LEN);
> > - hdr->ffffffff = cpu_to_be32(0xffffffff);
> > - cmd->stat_sn = conn->stat_sn++;
> > - hdr->statsn = cpu_to_be32(cmd->stat_sn);
> > - hdr->exp_cmdsn = cpu_to_be32(conn->sess->exp_cmd_sn);
> > - hdr->max_cmdsn = cpu_to_be32(conn->sess->max_cmd_sn);
> > + iscsit_build_reject(cmd, conn, (struct iscsi_reject *)&cmd->pdu[0]);
>
> Hence it will crash later:
>
> iscsit_do_crypto_hash_buf(&conn->conn_tx_hash,
> (unsigned char *)hdr, ISCSI_HDR_LEN,
> 0, NULL, (u8 *)header_digest);
>
> and
>
> pr_debug("Built Reject PDU StatSN: 0x%08x, Reason: 0x%02x,"
> " CID: %hu\n", ntohl(hdr->statsn), hdr->reason, conn->cid);
>
Whoops. Applying the following patch to fix this up now, and including
in the next PULL request.
Thanks alot for catching this!
--nab
diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
index ffbc6a9..c230eac 100644
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -3557,11 +3557,11 @@ static int iscsit_send_reject(
struct iscsi_cmd *cmd,
struct iscsi_conn *conn)
{
- u32 iov_count = 0, tx_size = 0;
- struct iscsi_reject *hdr;
+ struct iscsi_reject *hdr = (struct iscsi_reject *)&cmd->pdu[0];
struct kvec *iov;
+ u32 iov_count = 0, tx_size;
- iscsit_build_reject(cmd, conn, (struct iscsi_reject *)&cmd->pdu[0]);
+ iscsit_build_reject(cmd, conn, hdr);
iov = &cmd->iov_misc[0];
iov[iov_count].iov_base = cmd->pdu;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists