| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 7 Jun 2022 22:30:35 +0800
From: Xiaohui Zhang <xiaohuizhang@....edu.cn>
To: Xiaohui Zhang <xiaohuizhang@....edu.cn>,
"Martin K . Petersen" <martin.petersen@...cle.com>,
Mike Christie <michael.christie@...cle.com>,
Max Gurtovoy <mgurtovoy@...dia.com>,
Varun Prakash <varun@...lsio.com>, linux-scsi@...r.kernel.org,
target-devel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH 1/1] cxgbit_target: Reject immediate data underflow larger than SCSI transfer length
Similar to the handling of iscsit_get_immediate_data in commit abb85a9b512e
("iscsi-target: Reject immediate data underflow larger than SCSI transfer length"),
we thought a patch might be needed here as well.
Signed-off-by: Xiaohui Zhang <xiaohuizhang@....edu.cn>
---
drivers/target/iscsi/cxgbit/cxgbit_target.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/target/iscsi/cxgbit/cxgbit_target.c b/drivers/target/iscsi/cxgbit/cxgbit_target.c
index acfc39683c87..800bec4b1e88 100644
--- a/drivers/target/iscsi/cxgbit/cxgbit_target.c
+++ b/drivers/target/iscsi/cxgbit/cxgbit_target.c
@@ -920,6 +920,18 @@ cxgbit_get_immediate_data(struct iscsit_cmd *cmd, struct iscsi_scsi_req *hdr,
*/
if (dump_payload)
goto after_immediate_data;
+ /*
+ * Check for underflow case where both EDTL and immediate data payload
+ * exceeds what is presented by CDB's TRANSFER LENGTH, and what has
+ * already been set in target_cmd_size_check() as se_cmd->data_length.
+ *
+ * For this special case, fail the command and dump the immediate data
+ * payload.
+ */
+ if (cmd->first_burst_len > cmd->se_cmd.data_length) {
+ cmd->sense_reason = TCM_INVALID_CDB_FIELD;
+ goto after_immediate_data;
+ }
immed_ret = cxgbit_handle_immediate_data(cmd, hdr,
cmd->first_burst_len);
--
2.17.1
Powered by blists - more mailing lists