open-iscsi/9014-iscsi-iname-p-name-occur-buffer-overflow.patch

From bbcbb04329e75fc91e2d9dc015fbb0efc7dd2ddd Mon Sep 17 00:00:00 2001
From: openEuler Buildteam <buildteam@openeuler.org>
Date: Sat, 9 Nov 2019 02:41:28 -0500
Subject: [PATCH] iscsi-iname -p xxxx resulting in buffer overflow

if the name is longer than 256 characters, when exec iscsi-iname -p name.
occur buffer overflow

such as follow:
iscsi-iname -p aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
*** buffer overflow detected ***: iscsi-iname terminated
Aborted (core dumped)

---
 utils/iscsi-iname.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff -Nur a/utils/iscsi-iname.c b/utils/iscsi-iname.c
--- a/utils/iscsi-iname.c	2019-12-23 08:00:50.000000000 +0000
+++ b/utils/iscsi-iname.c	2019-12-23 08:05:09.000000000 +0000
@@ -50,6 +50,9 @@
 	int e;
 	int fd;
 	char *prefix;
+	char *prefix_node = ":node";
+	char *buffer = NULL;
+	int reserved_len;
 
 	/* initialize */
 	memset(iname, 0, sizeof (iname));
@@ -76,6 +79,13 @@
 		prefix = "iqn.2012-01.com.openeuler";
 	}
 
+	if (strlen(prefix) >= (sizeof(iname) - strlen(prefix_node))) {
+		printf("\nInput a unique iSCSI node name error. "
+		       "The maximum length is less than %lu\n",
+		       sizeof(iname) - strlen(prefix_node));
+		exit(0);
+	}
+
 	/* try to feed some entropy from the pool to MD5 in order to get
 	 * uniqueness properties
 	 */
@@ -132,8 +142,10 @@
 	}
 
 	/* print the prefix followed by 6 bytes of the MD5 hash */
-	sprintf(iname, "%s:node", prefix);
-
+	buffer = iname;
+	reserved_len = strlen(prefix_node);
+	snprintf(buffer, sizeof(iname) - reserved_len, "%s", prefix);
+	strncat(buffer, prefix_node, reserved_len);
 
 	iname[sizeof (iname) - 1] = '\0';
 	printf("%s\n", iname);
init package 2020-01-09 16:12:53 +08:00			`From bbcbb04329e75fc91e2d9dc015fbb0efc7dd2ddd Mon Sep 17 00:00:00 2001`
			`From: openEuler Buildteam <buildteam@openeuler.org>`
			`Date: Sat, 9 Nov 2019 02:41:28 -0500`
			`Subject: [PATCH] iscsi-iname -p xxxx resulting in buffer overflow`

			`if the name is longer than 256 characters, when exec iscsi-iname -p name.`
			`occur buffer overflow`

			`such as follow:`
			`iscsi-iname -p aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa`
			`aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa`
			`aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa`
			`aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa`
			`aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa`
			`aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa`
			`* buffer overflow detected *: iscsi-iname terminated`
			`Aborted (core dumped)`

			`---`
			`utils/iscsi-iname.c \| 16 ++++++++++++++--`
			`1 file changed, 14 insertions(+), 2 deletions(-)`

			`diff -Nur a/utils/iscsi-iname.c b/utils/iscsi-iname.c`
			`--- a/utils/iscsi-iname.c 2019-12-23 08:00:50.000000000 +0000`
			`+++ b/utils/iscsi-iname.c 2019-12-23 08:05:09.000000000 +0000`
			`@@ -50,6 +50,9 @@`
			`int e;`
			`int fd;`
			`char *prefix;`
			`+ char *prefix_node = ":node";`
			`+ char *buffer = NULL;`
			`+ int reserved_len;`

			`/* initialize */`
			`memset(iname, 0, sizeof (iname));`
			`@@ -76,6 +79,13 @@`
			`prefix = "iqn.2012-01.com.openeuler";`
			`}`

			`+ if (strlen(prefix) >= (sizeof(iname) - strlen(prefix_node))) {`
			`+ printf("\nInput a unique iSCSI node name error. "`
			`+ "The maximum length is less than %lu\n",`
			`+ sizeof(iname) - strlen(prefix_node));`
			`+ exit(0);`
			`+ }`
			`+`
			`/* try to feed some entropy from the pool to MD5 in order to get`
			`* uniqueness properties`
			`*/`
			`@@ -132,8 +142,10 @@`
			`}`

			`/* print the prefix followed by 6 bytes of the MD5 hash */`
			`- sprintf(iname, "%s:node", prefix);`
			`-`
			`+ buffer = iname;`
			`+ reserved_len = strlen(prefix_node);`
			`+ snprintf(buffer, sizeof(iname) - reserved_len, "%s", prefix);`
			`+ strncat(buffer, prefix_node, reserved_len);`

			`iname[sizeof (iname) - 1] = '\0';`
			`printf("%s\n", iname);`