rpms/scsi-target-utils/F-13 scsi-target-utils-fix-isns-of.patch, NONE, 1.1 scsi-target-utils.spec, 1.17, 1.18
Mike Christie
michaelc at fedoraproject.org
Thu Jul 1 17:22:33 UTC 2010
Author: michaelc
Update of /cvs/pkgs/rpms/scsi-target-utils/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv21057
Modified Files:
scsi-target-utils.spec
Added Files:
scsi-target-utils-fix-isns-of.patch
Log Message:
Fix iSNS scn pdu overflows (CVE-2010-2221)
scsi-target-utils-fix-isns-of.patch:
isns.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
--- NEW FILE scsi-target-utils-fix-isns-of.patch ---
diff -aurp tgt-20091205/usr/iscsi/isns.c tgt-20091205.work/usr/iscsi/isns.c
--- tgt-20091205/usr/iscsi/isns.c 2010-06-27 22:46:36.000000000 -0500
+++ tgt-20091205.work/usr/iscsi/isns.c 2010-06-28 16:43:04.000000000 -0500
@@ -604,17 +604,23 @@ static char *print_scn_pdu(struct isns_h
struct isns_tlv *tlv = (struct isns_tlv *) hdr->pdu;
uint16_t function, length, flags, transaction, sequence;
char *name = NULL;
+ static char iscsi_name[224];
get_hdr_param(hdr, function, length, flags, transaction, sequence);
while (length) {
uint32_t vlen = ntohl(tlv->length);
+ if (vlen + sizeof(*tlv) > length)
+ vlen = length - sizeof(*tlv);
+
switch (ntohl(tlv->tag)) {
case ISNS_ATTR_ISCSI_NAME:
eprintf("scn name: %u, %s\n", vlen, (char *) tlv->value);
- if (!name)
- name = (char *) tlv->value;
+ if (!name) {
+ snprintf(iscsi_name, sizeof(iscsi_name), (char *)tlv->value);
+ name = iscsi_name;
+ }
break;
case ISNS_ATTR_TIMESTAMP:
/* log_error("%u : %u : %" PRIx64, ntohl(tlv->tag), vlen, */
@@ -675,11 +681,17 @@ found:
/* skip status */
tlv = (struct isns_tlv *) ((char *) hdr->pdu + 4);
+
+ if (length < 4)
+ goto free_qry_mgmt;
length -= 4;
while (length) {
uint32_t vlen = ntohl(tlv->length);
+ if (vlen + sizeof(*tlv) > length)
+ vlen = length - sizeof(*tlv);
+
switch (ntohl(tlv->tag)) {
case ISNS_ATTR_ISCSI_NAME:
name = (char *) tlv->value;
Index: scsi-target-utils.spec
===================================================================
RCS file: /cvs/pkgs/rpms/scsi-target-utils/F-13/scsi-target-utils.spec,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -p -r1.17 -r1.18
--- scsi-target-utils.spec 9 Apr 2010 03:56:51 -0000 1.17
+++ scsi-target-utils.spec 1 Jul 2010 17:22:33 -0000 1.18
@@ -1,6 +1,6 @@
Name: scsi-target-utils
Version: 1.0.1
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: The SCSI target daemon and utility programs
Group: System Environment/Daemons
@@ -14,6 +14,7 @@ Patch0: scsi-target-utils-redhat
Patch1: scsi-target-utils-dynamic-link-iser.patch
Patch2: scsi-target-utils-hack-check-for-eventfd.patch
Patch3: scsi-target-utils-snprintf-fix.patch
+Patch4: scsi-target-utils-fix-isns-of.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -33,6 +34,7 @@ Currently, software iSCSI targets are su
%patch1 -p1 -b .dynamic-link-iser
%patch2 -p1 -b .hack-check-for-eventfd
%patch3 -p1 -b .snprintf-fix
+%patch4 -p1 -b .fix-isns-of
%build
pushd usr
@@ -96,7 +98,10 @@ fi
%changelog
-* Thu Apr 8 2010 Mike Christie <mchristi at redhat.com> - 1.0.1
+* Tue Jun 29 2010 Mike Christie <mchristie at redhat.com> - 1.0.1-4
+- Fix iSNS scn pdu overflows (CVE-2010-2221).
+
+* Thu Apr 8 2010 Mike Christie <mchristi at redhat.com> - 1.0.1-3
- Fix format string vulnerability (CVE-2010-0743)
* Sun Feb 14 2010 Terje Rosten <terje.rosten at ntnu.no> - 1.0.1-2
More information about the scm-commits
mailing list