lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20220607143035.29541-1-xiaohuizhang@ruc.edu.cn>
Date:   Tue,  7 Jun 2022 22:30:35 +0800
From:   Xiaohui Zhang <xiaohuizhang@....edu.cn>
To:     Xiaohui Zhang <xiaohuizhang@....edu.cn>,
        "Martin K . Petersen" <martin.petersen@...cle.com>,
        Mike Christie <michael.christie@...cle.com>,
        Max Gurtovoy <mgurtovoy@...dia.com>,
        Varun Prakash <varun@...lsio.com>, linux-scsi@...r.kernel.org,
        target-devel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH 1/1] cxgbit_target: Reject immediate data underflow larger than SCSI transfer length

Similar to the handling of iscsit_get_immediate_data in commit abb85a9b512e
("iscsi-target: Reject immediate data underflow larger than SCSI transfer length"),
we thought a patch might be needed here as well.

Signed-off-by: Xiaohui Zhang <xiaohuizhang@....edu.cn>
---
 drivers/target/iscsi/cxgbit/cxgbit_target.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/target/iscsi/cxgbit/cxgbit_target.c b/drivers/target/iscsi/cxgbit/cxgbit_target.c
index acfc39683c87..800bec4b1e88 100644
--- a/drivers/target/iscsi/cxgbit/cxgbit_target.c
+++ b/drivers/target/iscsi/cxgbit/cxgbit_target.c
@@ -920,6 +920,18 @@ cxgbit_get_immediate_data(struct iscsit_cmd *cmd, struct iscsi_scsi_req *hdr,
 	 */
 	if (dump_payload)
 		goto after_immediate_data;
+	/*
+	 * Check for underflow case where both EDTL and immediate data payload
+	 * exceeds what is presented by CDB's TRANSFER LENGTH, and what has
+	 * already been set in target_cmd_size_check() as se_cmd->data_length.
+	 *
+	 * For this special case, fail the command and dump the immediate data
+	 * payload.
+	 */
+	if (cmd->first_burst_len > cmd->se_cmd.data_length) {
+		cmd->sense_reason = TCM_INVALID_CDB_FIELD;
+		goto after_immediate_data;
+	}
 
 	immed_ret = cxgbit_handle_immediate_data(cmd, hdr,
 						 cmd->first_burst_len);
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ