rpms/scsi-target-utils/F-12 tgt-fix-isns-of.patch, NONE, 1.1 scsi-target-utils.spec, 1.14, 1.15
Mike Christie
michaelc at fedoraproject.org
Thu Jul 1 17:24:11 UTC 2010
- Previous message: rpms/scsi-target-utils/F-13 scsi-target-utils-fix-isns-of.patch, NONE, 1.1 scsi-target-utils.spec, 1.17, 1.18
- Next message: rpms/django-flash/devel .cvsignore, 1.3, 1.4 django-flash.spec, 1.2, 1.3 sources, 1.3, 1.4
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: michaelc
Update of /cvs/pkgs/rpms/scsi-target-utils/F-12
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv21302
Modified Files:
scsi-target-utils.spec
Added Files:
tgt-fix-isns-of.patch
Log Message:
Fix iSNS scn pdu overflows (CVE-2010-2221)
tgt-fix-isns-of.patch:
isns.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
--- NEW FILE tgt-fix-isns-of.patch ---
diff -aurp tgt-20091205/usr/iscsi/isns.c tgt-20091205.work/usr/iscsi/isns.c
--- tgt-20091205/usr/iscsi/isns.c 2010-06-27 22:46:36.000000000 -0500
+++ tgt-20091205.work/usr/iscsi/isns.c 2010-06-28 16:43:04.000000000 -0500
@@ -604,17 +604,23 @@ static char *print_scn_pdu(struct isns_h
struct isns_tlv *tlv = (struct isns_tlv *) hdr->pdu;
uint16_t function, length, flags, transaction, sequence;
char *name = NULL;
+ static char iscsi_name[224];
get_hdr_param(hdr, function, length, flags, transaction, sequence);
while (length) {
uint32_t vlen = ntohl(tlv->length);
+ if (vlen + sizeof(*tlv) > length)
+ vlen = length - sizeof(*tlv);
+
switch (ntohl(tlv->tag)) {
case ISNS_ATTR_ISCSI_NAME:
eprintf("scn name: %u, %s\n", vlen, (char *) tlv->value);
- if (!name)
- name = (char *) tlv->value;
+ if (!name) {
+ snprintf(iscsi_name, sizeof(iscsi_name), (char *)tlv->value);
+ name = iscsi_name;
+ }
break;
case ISNS_ATTR_TIMESTAMP:
/* log_error("%u : %u : %" PRIx64, ntohl(tlv->tag), vlen, */
@@ -675,11 +681,17 @@ found:
/* skip status */
tlv = (struct isns_tlv *) ((char *) hdr->pdu + 4);
+
+ if (length < 4)
+ goto free_qry_mgmt;
length -= 4;
while (length) {
uint32_t vlen = ntohl(tlv->length);
+ if (vlen + sizeof(*tlv) > length)
+ vlen = length - sizeof(*tlv);
+
switch (ntohl(tlv->tag)) {
case ISNS_ATTR_ISCSI_NAME:
name = (char *) tlv->value;
Index: scsi-target-utils.spec
===================================================================
RCS file: /cvs/pkgs/rpms/scsi-target-utils/F-12/scsi-target-utils.spec,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -p -r1.14 -r1.15
--- scsi-target-utils.spec 9 Apr 2010 04:16:00 -0000 1.14
+++ scsi-target-utils.spec 1 Jul 2010 17:24:10 -0000 1.15
@@ -1,6 +1,6 @@
Name: scsi-target-utils
Version: 1.0.1
-Release: 0%{?dist}
+Release: 2%{?dist}
Summary: The SCSI target daemon and utility programs
Group: System Environment/Daemons
@@ -12,6 +12,7 @@ Source2: sysconfig.tgtd
Source3: targets.conf
Patch0: tgt-20080805-shebang.patch
Patch1: tgt-snprintf-fix.patch
+Patch2: tgt-fix-isns-of.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -26,6 +27,7 @@ Currently, software iSCSI targets are su
%setup -q -n tgt-%{version}
%patch0 -p1
%patch1 -p1
+%patch2 -p1
%{__chmod} 0644 scripts/tgt-core-test
%build
@@ -93,6 +95,9 @@ fi
%changelog
+* Tue Jun 29 2010 Mike Christie <mchristi at redhat.com> - 1.0.2
+- Fix iSNS scn pdu overflows (CVE-2010-2221).
+
* Thu Apr 8 2010 Mike Christie <mchristi at redhat.com> - 1.0.1
- Fix format string vulnerability (CVE-2010-0743)
- Sync to upstream tgt-1.0.1
- Previous message: rpms/scsi-target-utils/F-13 scsi-target-utils-fix-isns-of.patch, NONE, 1.1 scsi-target-utils.spec, 1.17, 1.18
- Next message: rpms/django-flash/devel .cvsignore, 1.3, 1.4 django-flash.spec, 1.2, 1.3 sources, 1.3, 1.4
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list