diff options
author | Roland Dreier <roland@purestorage.com> | 2014-05-29 13:32:30 -0700 |
---|---|---|
committer | Show Liu <show.liu@linaro.org> | 2014-06-18 12:05:31 +0800 |
commit | da09508630cd89310003685d28fb85adc30bc5a5 (patch) | |
tree | 83c45b5fe5a6bbbba66b79bc9784df758d634ad0 /drivers/power | |
parent | dd75f26ff64ff6bb8806456fc3ceba56fed384f7 (diff) |
iscsi-target: Fix wrong buffer / buffer overrun in iscsi_change_param_value()
commit 79d59d08082dd0a0a18f8ceb78c99f9f321d72aa upstream.
In non-leading connection login, iscsi_login_non_zero_tsih_s1() calls
iscsi_change_param_value() with the buffer it uses to hold the login
PDU, not a temporary buffer. This leads to the login header getting
corrupted and login failing for non-leading connections in MC/S.
Fix this by adding a wrapper iscsi_change_param_sprintf() that handles
the temporary buffer itself to avoid confusion. Also handle sending a
reject in case of failure in the wrapper, which lets the calling code
get quite a bit smaller and easier to read.
Finally, bump the size of the temporary buffer from 32 to 64 bytes to be
safe, since "MaxRecvDataSegmentLength=" by itself is 25 bytes; with a
trailing NUL, a value >= 1M will lead to a buffer overrun. (This isn't
the default but we don't need to run right at the ragged edge here)
Reported-by: Santosh Kulkarni <santosh.kulkarni@calsoftinc.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/power')
0 files changed, 0 insertions, 0 deletions