From 4ce740f737cef1de363b6d56a63bb0671716613e Mon Sep 17 00:00:00 2001 From: Peter Lieven Date: Thu, 26 Mar 2015 11:42:53 +0100 Subject: [PATCH] socket: fix bounds check in iscsi_iovector_readv_writev if we received too little iovectors niov++ may also make iov2 point to uninitialized memory. Signed-off-by: Peter Lieven --- lib/socket.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/socket.c b/lib/socket.c index 92ed5bf..4a6dd98 100644 --- a/lib/socket.c +++ b/lib/socket.c @@ -455,17 +455,17 @@ iscsi_iovector_readv_writev(struct iscsi_context *iscsi, struct scsi_iovector *i int niov=1; /* number of iovectors to pass */ uint32_t len2 = pos + count; /* adjust length of iov2 */ - + /* forward until iov2 points to the last iovec we pass later. it might happen that we have a lot of iovectors but are limited by count */ while (len2 > iov2->iov_len) { - if (iovector->niov <= iovector->consumed+niov-1) { + niov++; + if (iovector->niov < iovector->consumed + niov) { errno = EINVAL; return -1; } - niov++; len2 -= iov2->iov_len; - iov2 = &iovector->iov[iovector->consumed+niov-1]; + iov2 = &iovector->iov[iovector->consumed + niov - 1]; } /* we might limit the length of the last iovec we pass to readv/writev