summaryrefslogtreecommitdiffstats
path: root/drivers/target/iscsi/iscsi_target_parameters.h
diff options
context:
space:
mode:
authorKees Cook <keescook@chromium.org>2013-05-23 19:32:17 +0200
committerNicholas Bellinger <nab@linux-iscsi.org>2013-05-31 03:07:54 +0200
commitcea4dcfdad926a27a18e188720efe0f2c9403456 (patch)
tree7ae6fd132bbd1e7cd888dcaae6946cecfd20a2e1 /drivers/target/iscsi/iscsi_target_parameters.h
parenttarget/file: Fix off-by-one READ_CAPACITY bug for !S_ISBLK export (diff)
downloadlinux-cea4dcfdad926a27a18e188720efe0f2c9403456.tar.xz
linux-cea4dcfdad926a27a18e188720efe0f2c9403456.zip
iscsi-target: fix heap buffer overflow on error
If a key was larger than 64 bytes, as checked by iscsi_check_key(), the error response packet, generated by iscsi_add_notunderstood_response(), would still attempt to copy the entire key into the packet, overflowing the structure on the heap. Remote preauthentication kernel memory corruption was possible if a target was configured and listening on the network. CVE-2013-2850 Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Diffstat (limited to 'drivers/target/iscsi/iscsi_target_parameters.h')
-rw-r--r--drivers/target/iscsi/iscsi_target_parameters.h4
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h
index 915b06798505..a47046a752aa 100644
--- a/drivers/target/iscsi/iscsi_target_parameters.h
+++ b/drivers/target/iscsi/iscsi_target_parameters.h
@@ -1,8 +1,10 @@
#ifndef ISCSI_PARAMETERS_H
#define ISCSI_PARAMETERS_H
+#include <scsi/iscsi_proto.h>
+
struct iscsi_extra_response {
- char key[64];
+ char key[KEY_MAXLEN];
char value[32];
struct list_head er_list;
} ____cacheline_aligned;