admin/libiscsi
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

socket: fix bounds check in iscsi_iovector_readv_writev

Browse Source 
if we received too little iovectors niov++ may also
make iov2 point to uninitialized memory.

Signed-off-by: Peter Lieven <pl@kamp.de>
This commit is contained in:
Peter Lieven
2015-03-26 11:42:53 +01:00
parent 44b1a2e1e0
commit 4ce740f737
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
lib/socket.c
View File

@@ -455,17 +455,17 @@ iscsi_iovector_readv_writev(struct iscsi_context *iscsi, struct scsi_iovector *i
int niov=1; /* number of iovectors to pass */
uint32_t len2 = pos + count; /* adjust length of iov2 */
/* forward until iov2 points to the last iovec we pass later. it might
happen that we have a lot of iovectors but are limited by count */
while (len2 > iov2->iov_len) {
if (iovector->niov <= iovector->consumed+niov-1) {
niov++;
if (iovector->niov < iovector->consumed + niov) {
errno = EINVAL;
return -1;
}
niov++;
len2 -= iov2->iov_len;
iov2 = &iovector->iov[iovector->consumed+niov-1];
iov2 = &iovector->iov[iovector->consumed + niov - 1];
}
/* we might limit the length of the last iovec we pass to readv/writev