aboutsummaryrefslogtreecommitdiffstats
path: root/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch')
-rw-r--r--meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch64
1 files changed, 64 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch
new file mode 100644
index 0000000000..c63c0a8d56
--- /dev/null
+++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch
@@ -0,0 +1,64 @@
+From 5df60ad8b22194391af34c1a7e54776b0372ffed Mon Sep 17 00:00:00 2001
+From: Lee Duncan <lduncan@suse.com>
+Date: Fri, 15 Dec 2017 11:21:15 -0800
+Subject: [PATCH 7/7] Check iscsiuio ping data length for validity
+
+We do not trust that the received ping packet data length
+is correct, so sanity check it. Found by Qualsys.
+
+CVE: CVE-2017-17840
+
+Upstream-Status: Backport
+
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ iscsiuio/src/unix/iscsid_ipc.c | 5 +++++
+ iscsiuio/src/unix/packet.c | 2 +-
+ iscsiuio/src/unix/packet.h | 2 ++
+ 3 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c
+index 85742da..a2caacc 100644
+--- a/iscsiuio/src/unix/iscsid_ipc.c
++++ b/iscsiuio/src/unix/iscsid_ipc.c
+@@ -333,6 +333,11 @@ static void *perform_ping(void *arg)
+
+ data = (iscsid_uip_broadcast_t *)png_c->data;
+ datalen = data->u.ping_rec.datalen;
++ if ((datalen > STD_MTU_SIZE) || (datalen < 0)) {
++ LOG_ERR(PFX "Ping datalen invalid: %d", datalen);
++ rc = -EINVAL;
++ goto ping_done;
++ }
+
+ memset(dst_addr, 0, sizeof(uip_ip6addr_t));
+ if (nic_iface->protocol == AF_INET) {
+diff --git a/iscsiuio/src/unix/packet.c b/iscsiuio/src/unix/packet.c
+index ecea09b..3ce2c6b 100644
+--- a/iscsiuio/src/unix/packet.c
++++ b/iscsiuio/src/unix/packet.c
+@@ -112,7 +112,7 @@ int alloc_free_queue(nic_t *nic, size_t num_of_packets)
+ for (i = 0; i < num_of_packets; i++) {
+ packet_t *pkt;
+
+- pkt = alloc_packet(1500, 1500);
++ pkt = alloc_packet(STD_MTU_SIZE, STD_MTU_SIZE);
+ if (pkt == NULL) {
+ goto done;
+ }
+diff --git a/iscsiuio/src/unix/packet.h b/iscsiuio/src/unix/packet.h
+index b63d688..19d1db9 100644
+--- a/iscsiuio/src/unix/packet.h
++++ b/iscsiuio/src/unix/packet.h
+@@ -43,6 +43,8 @@
+
+ #include "nic.h"
+
++#define STD_MTU_SIZE 1500
++
+ struct nic;
+ struct nic_interface;
+
+--
+1.9.1
+
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-04-19 09:24:39 +0000