diff options
author | Lee Duncan <lduncan@suse.com> | 2020-11-14 14:18:29 -0800 |
---|---|---|
committer | Lee Duncan <lduncan@suse.com> | 2020-11-14 14:18:29 -0800 |
commit | 0061e5b7bf0c0f00f9e05cd908381e6bef69bd25 (patch) | |
tree | e035804a356f1bee5dc23d1d7aca9e25ff228002 | |
parent | dc6ecd3854d58ce3ecce7d30b5e412aa69e86d92 (diff) | |
download | open-iscsi-0061e5b7bf0c0f00f9e05cd908381e6bef69bd25.tar.gz |
iscsiadm: fix host stats mode coredump
The command:
> iscsiadm -m host -C stats -H <mac_addr>
Copies in the user-supplied mac address without checking its
length, but the maximum length is 17 characters. This overflows
the next field in the structure, or if libc checking is
enabled, produces this error:
> *** buffer overflow detected ***: iscsiadm terminated
Fix this by checking the length of the supply MAC address
before copying it into the array. Some extra debugging
error messages were added in the process.
-rw-r--r-- | usr/iscsi_sysfs.c | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/usr/iscsi_sysfs.c b/usr/iscsi_sysfs.c index 435c576..5298a6b 100644 --- a/usr/iscsi_sysfs.c +++ b/usr/iscsi_sysfs.c @@ -372,17 +372,29 @@ uint32_t iscsi_sysfs_get_host_no_from_hwaddress(char *hwaddress, int *rc) info = calloc(1, sizeof(*info)); if (!info) { + log_debug(4, "No memory for host info"); *rc = ISCSI_ERR_NOMEM; return -1; } - strcpy(info->iface.hwaddress, hwaddress); + /* make sure there is room for the MAC address plus NULL terminator */ + if (strlen(hwaddress) > (ISCSI_HWADDRESS_BUF_SIZE - 1)) { + log_debug(4, "HW Address \"%s\" too long (%d max)", + hwaddress, ISCSI_HWADDRESS_BUF_SIZE-1); + *rc = ISCSI_ERR_INVAL; + goto dun; + } + strncpy(info->iface.hwaddress, hwaddress, ISCSI_HWADDRESS_BUF_SIZE-1); local_rc = iscsi_sysfs_for_each_host(info, &nr_found, __get_host_no_from_hwaddress); if (local_rc == 1) host_no = info->host_no; - else + else { + log_debug(4, "Host not found from HW Address \"%s\"", + hwaddress); *rc = ISCSI_ERR_HOST_NOT_FOUND; + } +dun: free(info); return host_no; } |