admin/libiscsi
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Fix a buffer overflow in the code for unmarshalling the, PERSISTENT RESERVE IN / READ RESERVATION

Browse Source 
If no reservation is held a SCSI target sends a response that is eight
bytes long while scsi-lowlevel.c fills in the first twelve bytes of a
data structure for which only eight bytes are allocated. Fix this buffer
overflow by always allocating a full
scsi_persistent_reserve_in_read_reservation structure.

Signed-off-by: Bart Van Assche <bvanassche@acm.org>
This commit is contained in:
Bart Van Assche
2013-05-29 18:05:22 +02:00
committed by Ronnie Sahlberg
parent 8da8cf8c4c
commit 0577fa9d66
1 changed files with 1 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lib/scsi-lowlevel.c
View File

@@ -802,9 +802,7 @@ scsi_persistentreservein_datain_unmarshall(struct scsi_task *task)
size_t alloc_sz;
i = task_get_uint32(task, 4);
alloc_sz = offsetof(
struct scsi_persistent_reserve_in_read_reservation,
reserved) + i;
alloc_sz = sizeof(struct scsi_persistent_reserve_in_read_reservation);
rr = scsi_malloc(task, alloc_sz);
if (rr == NULL) {