• Roland Dreier's avatar
    iscsi-target: Fix wrong buffer / buffer overrun in iscsi_change_param_value() · 79d59d08
    Roland Dreier authored
    In non-leading connection login, iscsi_login_non_zero_tsih_s1() calls
    iscsi_change_param_value() with the buffer it uses to hold the login
    PDU, not a temporary buffer.  This leads to the login header getting
    corrupted and login failing for non-leading connections in MC/S.
    
    Fix this by adding a wrapper iscsi_change_param_sprintf() that handles
    the temporary buffer itself to avoid confusion.  Also handle sending a
    reject in case of failure in the wrapper, which lets the calling code
    get quite a bit smaller and easier to read.
    
    Finally, bump the size of the temporary buffer from 32 to 64 bytes to be
    safe, since "MaxRecvDataSegmentLength=" by itself is 25 bytes; with a
    trailing NUL, a value >= 1M will lead to a buffer overrun.  (This isn't
    the default but we don't need to run right at the ragged edge here)
    Reported-by: default avatarSantosh Kulkarni <santosh.kulkarni@calsoftinc.com>
    Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
    Cc: stable@vger.kernel.org # 3.10+
    Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
    79d59d08
iscsi_target_login.c 39 KB