29 lines
1010 B
Diff
29 lines
1010 B
Diff
|
From 0c032f5f4f826199868099f0af10c4a913209573 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Chris Leech <cleech@redhat.com>
|
||
|
|
Date: Mon, 14 Sep 2020 14:09:56 -0700
|
||
|
|
Subject: [PATCH 6/8] iscsiadm buffer overflow regression when discovering many
|
||
|
|
targets at once
|
||
|
|
|
||
|
|
int_list type didn't zero the output string, so as the rec struct was reused
|
||
|
|
repeatedly during discovery it would keep growing with repeated values
|
||
|
|
triggering a strcat buffer overflow
|
||
|
|
---
|
||
|
|
usr/idbm.c | 1 +
|
||
|
|
1 file changed, 1 insertion(+)
|
||
|
|
|
||
|
|
diff --git a/usr/idbm.c b/usr/idbm.c
|
||
|
|
index 6309be0..42c2699 100644
|
||
|
|
--- a/usr/idbm.c
|
||
|
|
+++ b/usr/idbm.c
|
||
|
|
@@ -169,6 +169,7 @@ static struct idbm *db;
|
||
|
|
#define __recinfo_int_list(_key,_info,_rec,_name,_show,_tbl,_n,_mod) do { \
|
||
|
|
_info[_n].type = TYPE_INT_LIST; \
|
||
|
|
strlcpy(_info[_n].name, _key, NAME_MAXVAL); \
|
||
|
|
+ _info[_n].value[0] = '\0'; \
|
||
|
|
for (unsigned long _i = 0; _i < ARRAY_LEN(_rec->_name); _i++) { \
|
||
|
|
if (_rec->_name[_i] != (unsigned)~0) { \
|
||
|
|
for (unsigned long _j = 0; _j < ARRAY_LEN(_tbl); _j++) { \
|
||
|
|
--
|
||
|
|
1.8.3.1
|
||
|
|
|