Blame SOURCES/kvm-iscsi-Don-t-blindly-use-designator-length-in-respons.patch

ae23c9
From b00154f43c01657e4299c486f451ad50891d80f1 Mon Sep 17 00:00:00 2001
ae23c9
From: Fam Zheng <famz@redhat.com>
ae23c9
Date: Fri, 29 Jun 2018 06:11:52 +0200
ae23c9
Subject: [PATCH 178/268] iscsi: Don't blindly use designator length in
ae23c9
 response for memcpy
ae23c9
ae23c9
RH-Author: Fam Zheng <famz@redhat.com>
ae23c9
Message-id: <20180629061153.12687-13-famz@redhat.com>
ae23c9
Patchwork-id: 81162
ae23c9
O-Subject: [RHEL-7.6 qemu-kvm-rhev PATCH v2 12/13] iscsi: Don't blindly use designator length in response for memcpy
ae23c9
Bugzilla: 1482537
ae23c9
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
ae23c9
RH-Acked-by: Max Reitz <mreitz@redhat.com>
ae23c9
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
ae23c9
ae23c9
Per SCSI definition the designator_length we receive from INQUIRY is 8,
ae23c9
12 or at most 16, but we should be careful because the remote iscsi
ae23c9
target may misbehave, otherwise we could have a buffer overflow.
ae23c9
ae23c9
Reported-by: Max Reitz <mreitz@redhat.com>
ae23c9
Signed-off-by: Fam Zheng <famz@redhat.com>
ae23c9
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
ae23c9
---
ae23c9
 block/iscsi.c | 2 +-
ae23c9
 1 file changed, 1 insertion(+), 1 deletion(-)
ae23c9
ae23c9
diff --git a/block/iscsi.c b/block/iscsi.c
ae23c9
index fbcd5bb..751884d 100644
ae23c9
--- a/block/iscsi.c
ae23c9
+++ b/block/iscsi.c
ae23c9
@@ -2226,7 +2226,7 @@ static void iscsi_populate_target_desc(unsigned char *desc, IscsiLun *lun)
ae23c9
     desc[5] = (dd->designator_type & 0xF)
ae23c9
         | ((dd->association & 3) << 4);
ae23c9
     desc[7] = dd->designator_length;
ae23c9
-    memcpy(desc + 8, dd->designator, dd->designator_length);
ae23c9
+    memcpy(desc + 8, dd->designator, MIN(dd->designator_length, 20));
ae23c9
 
ae23c9
     desc[28] = 0;
ae23c9
     desc[29] = (lun->block_size >> 16) & 0xFF;
ae23c9
-- 
ae23c9
1.8.3.1
ae23c9