| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZMAFoszXQ3vwc9It@rhel-developer-toolbox-latest>
Date: Tue, 25 Jul 2023 10:25:54 -0700
From: Chris Leech <cleech@...hat.com>
To: Lin Ma <linma@....edu.cn>
Cc: lduncan@...e.com, michael.christie@...cle.com, jejb@...ux.ibm.com,
martin.petersen@...cle.com, vikas.chaudhary@...gic.com,
JBottomley@...allels.com, mchan@...adcom.com, benli@...adcom.com,
ogerlitz@...taire.com, open-iscsi@...glegroups.com,
linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 1/2] scsi: iscsi: Add length check for nlattr payload
On Tue, Jul 25, 2023 at 10:45:29AM +0800, Lin Ma wrote:
> The current NETLINK_ISCSI netlink parsing loop checks every nlmsg to
> make sure the length is bigger than the sizeof(struct iscsi_uevent) and
> then calls iscsi_if_recv_msg(...).
>
> nlh = nlmsg_hdr(skb);
> if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
> skb->len < nlh->nlmsg_len) {
> break;
> }
> ...
> err = iscsi_if_recv_msg(skb, nlh, &group);
>
> Hence, in iscsi_if_recv_msg, the nlmsg_data can be safely converted to
> iscsi_uevent as the length is already checked.
>
> However, in the following parsing, the length of nlattr payload is never
> checked before the payload is converted to other data structures in some
> consumers. A bad one for example is function iscsi_set_path(...) who
> converts the payload to type iscsi_path without any checks.
Thank you for doing the code review on this, I think these changes look
good.
Reviewed-by: Chris Leech <cleech@...hat.com>
Powered by blists - more mailing lists