rpms/scsi-target-utils/devel scsi-target-utils-fix-isns-of.patch, NONE, 1.1 scsi-target-utils-snprintf-fix.patch, NONE, 1.1 scsi-target-utils.spec, 1.16, 1.17

Mike Christie michaelc at fedoraproject.org
Thu Jul 1 17:21:20 UTC 2010 

Author: michaelc

Update of /cvs/pkgs/rpms/scsi-target-utils/devel
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv20801

Modified Files:
	scsi-target-utils.spec 
Added Files:
	scsi-target-utils-fix-isns-of.patch 
	scsi-target-utils-snprintf-fix.patch 
Log Message:
Fix iSNS scn pdu overflows (CVE-2010-2221)

scsi-target-utils-fix-isns-of.patch:
 isns.c |   16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

--- NEW FILE scsi-target-utils-fix-isns-of.patch ---
diff -aurp tgt-20091205/usr/iscsi/isns.c tgt-20091205.work/usr/iscsi/isns.c
--- tgt-20091205/usr/iscsi/isns.c	2010-06-27 22:46:36.000000000 -0500
+++ tgt-20091205.work/usr/iscsi/isns.c	2010-06-28 16:43:04.000000000 -0500
@@ -604,17 +604,23 @@ static char *print_scn_pdu(struct isns_h
 	struct isns_tlv *tlv = (struct isns_tlv *) hdr->pdu;
 	uint16_t function, length, flags, transaction, sequence;
 	char *name = NULL;
+	static char iscsi_name[224];
 
 	get_hdr_param(hdr, function, length, flags, transaction, sequence);
 
 	while (length) {
 		uint32_t vlen = ntohl(tlv->length);
 
+		if (vlen + sizeof(*tlv) > length)
+			vlen = length - sizeof(*tlv);
+
 		switch (ntohl(tlv->tag)) {
 		case ISNS_ATTR_ISCSI_NAME:
 			eprintf("scn name: %u, %s\n", vlen, (char *) tlv->value);
-			if (!name)
-				name = (char *) tlv->value;
+			if (!name) {
+				snprintf(iscsi_name, sizeof(iscsi_name), (char *)tlv->value);
+				name = iscsi_name;
+			}
 			break;
 		case ISNS_ATTR_TIMESTAMP:
 /* 			log_error("%u : %u : %" PRIx64, ntohl(tlv->tag), vlen, */
@@ -675,11 +681,17 @@ found:
 
 	/* skip status */
 	tlv = (struct isns_tlv *) ((char *) hdr->pdu + 4);
+
+	if (length < 4)
+		goto free_qry_mgmt;
 	length -= 4;
 
 	while (length) {
 		uint32_t vlen = ntohl(tlv->length);
 
+		if (vlen + sizeof(*tlv) > length)
+			vlen = length - sizeof(*tlv);
+
 		switch (ntohl(tlv->tag)) {
 		case ISNS_ATTR_ISCSI_NAME:
 			name = (char *) tlv->value;

scsi-target-utils-snprintf-fix.patch:
 isns.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- NEW FILE scsi-target-utils-snprintf-fix.patch ---
--- tgt-1.0.1/usr/iscsi/isns.c.org	2010-03-22 17:18:59.788314323 -0600
+++ tgt-1.0.1/usr/iscsi/isns.c	2010-03-22 17:19:30.833004428 -0600
@@ -316,7 +316,7 @@ static int isns_attr_query(char *name)
 	tlv = (struct isns_tlv *) hdr->pdu;
 
 	if (name)
-		snprintf(mgmt->name, sizeof(mgmt->name), name);
+		snprintf(mgmt->name, sizeof(mgmt->name), "%s", name);
 	else {
 		mgmt->name[0] = '\0';
 		target = list_first_entry(&iscsi_targets_list,
@@ -690,7 +690,7 @@ found:
 				ini = malloc(sizeof(*ini));
 				if (!ini)
 					goto free_qry_mgmt;
-				snprintf(ini->name, sizeof(ini->name), name);
+				snprintf(ini->name, sizeof(ini->name), "%s", name);
 				list_add(&ini->ilist, &target->isns_list);
 			} else
 				name = NULL;


Index: scsi-target-utils.spec
===================================================================
RCS file: /cvs/pkgs/rpms/scsi-target-utils/devel/scsi-target-utils.spec,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -p -r1.16 -r1.17
--- scsi-target-utils.spec	14 Feb 2010 22:43:08 -0000	1.16
+++ scsi-target-utils.spec	1 Jul 2010 17:21:20 -0000	1.17
@@ -1,6 +1,6 @@
 Name:           scsi-target-utils
 Version:        1.0.1
-Release:        2%{?dist}
+Release:        4%{?dist}
 Summary:        The SCSI target daemon and utility programs
 
 Group:          System Environment/Daemons
@@ -13,6 +13,8 @@ Source3:        targets.conf
 Patch0:         scsi-target-utils-redhatify-docs.patch
 Patch1:         scsi-target-utils-dynamic-link-iser.patch
 Patch2:         scsi-target-utils-hack-check-for-eventfd.patch
+Patch3:         scsi-target-utils-snprintf-fix.patch
+Patch4:         scsi-target-utils-fix-isns-of.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -31,7 +33,8 @@ Currently, software iSCSI targets are su
 %patch0 -p1 -b .redhatify-docs
 %patch1 -p1 -b .dynamic-link-iser
 %patch2 -p1 -b .hack-check-for-eventfd
-
+%patch3 -p1 -b .snprintf-fix
+%patch4 -p1 -b .fix-isns-of
 
 %build
 pushd usr
@@ -95,6 +98,12 @@ fi
 
 
 %changelog
+* Tue Jun 29 2010 Mike Christie <mchristie at redhat.com> - 1.0.1-4
+- Fix iSNS scn pdu overflows (CVE-2010-2221).
+
+* Thu Apr 8 2010 Mike Christie <mchristi at redhat.com> - 1.0.1-3
+- Fix format string vulnerability  (CVE-2010-0743)
+
 * Sun Feb 14 2010 Terje Rosten <terje.rosten at ntnu.no> - 1.0.1-2
 - Update iser patch to build with new link rules
 - Fix optflags

More information about the scm-commits mailing list