packages/open-iscsi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
open-iscsi/9014-iscsi-iname-p-name-occur-buffer-overflow.patch
eulerstorage 08550c303d init package
2020-01-09 16:49:50 +08:00

63 lines
2.0 KiB
Diff
Raw Blame History

From bbcbb04329e75fc91e2d9dc015fbb0efc7dd2ddd Mon Sep 17 00:00:00 2001
From: openEuler Buildteam <buildteam@openeuler.org>
Date: Sat, 9 Nov 2019 02:41:28 -0500
Subject: [PATCH] iscsi-iname -p xxxx resulting in buffer overflow
if the name is longer than 256 characters, when exec iscsi-iname -p name.
occur buffer overflow
such as follow:
iscsi-iname -p aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
*** buffer overflow detected ***: iscsi-iname terminated
Aborted (core dumped)
---
utils/iscsi-iname.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff -Nur a/utils/iscsi-iname.c b/utils/iscsi-iname.c
--- a/utils/iscsi-iname.c 2019-12-23 08:00:50.000000000 +0000
+++ b/utils/iscsi-iname.c 2019-12-23 08:05:09.000000000 +0000
@@ -50,6 +50,9 @@
int e;
int fd;
char *prefix;
+ char *prefix_node = ":node";
+ char *buffer = NULL;
+ int reserved_len;
/* initialize */
memset(iname, 0, sizeof (iname));
@@ -76,6 +79,13 @@
prefix = "iqn.2012-01.com.openeuler";
}
+ if (strlen(prefix) >= (sizeof(iname) - strlen(prefix_node))) {
+ printf("\nInput a unique iSCSI node name error. "
+ "The maximum length is less than %lu\n",
+ sizeof(iname) - strlen(prefix_node));
+ exit(0);
+ }
+
/* try to feed some entropy from the pool to MD5 in order to get
* uniqueness properties
*/
@@ -132,8 +142,10 @@
}
/* print the prefix followed by 6 bytes of the MD5 hash */
- sprintf(iname, "%s:node", prefix);
-
+ buffer = iname;
+ reserved_len = strlen(prefix_node);
+ snprintf(buffer, sizeof(iname) - reserved_len, "%s", prefix);
+ strncat(buffer, prefix_node, reserved_len);
iname[sizeof (iname) - 1] = '\0';
printf("%s\n", iname);
Reference in New Issue View Git Blame Copy Permalink