From 0577fa9d66af77f2a55ed928faffca83d744e52f Mon Sep 17 00:00:00 2001 From: Bart Van Assche Date: Wed, 29 May 2013 18:05:22 +0200 Subject: [PATCH] Fix a buffer overflow in the code for unmarshalling the, PERSISTENT RESERVE IN / READ RESERVATION If no reservation is held a SCSI target sends a response that is eight bytes long while scsi-lowlevel.c fills in the first twelve bytes of a data structure for which only eight bytes are allocated. Fix this buffer overflow by always allocating a full scsi_persistent_reserve_in_read_reservation structure. Signed-off-by: Bart Van Assche --- lib/scsi-lowlevel.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/lib/scsi-lowlevel.c b/lib/scsi-lowlevel.c index 77fedfe..4b04f63 100644 --- a/lib/scsi-lowlevel.c +++ b/lib/scsi-lowlevel.c @@ -802,9 +802,7 @@ scsi_persistentreservein_datain_unmarshall(struct scsi_task *task) size_t alloc_sz; i = task_get_uint32(task, 4); - alloc_sz = offsetof( - struct scsi_persistent_reserve_in_read_reservation, - reserved) + i; + alloc_sz = sizeof(struct scsi_persistent_reserve_in_read_reservation); rr = scsi_malloc(task, alloc_sz); if (rr == NULL) {