diff options
| author | Chris Leech <cleech@redhat.com> | 2020-12-18 10:58:08 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-12-18 10:58:08 -0800 |
| commit | 34e3ffb194f6fa3028c0eb2ff57e7db2d1026771 (patch) | |
| tree | 58e51ccccef59fa72c3d49bb327426a91a96e14e | |
| parent | b680f6e81f2f05f7e721f0aa97ce8aa885b3f0ba (diff) | |
| parent | a8f2dce9f7efec48e353ef35e8a199534f66b0d5 (diff) | |
| download | open-iscsi-34e3ffb194f6fa3028c0eb2ff57e7db2d1026771.tar.gz | |
Merge pull request from GHSA-r278-fm99-8rgp2.1.3
iscsiuio uIP input packet processing bounds checking fixes
| -rw-r--r-- | Changelog | 46 | ||||
| -rw-r--r-- | iscsiuio/src/uip/uip.c | 43 | ||||
| -rw-r--r-- | libopeniscsiusr/version.h | 2 | ||||
| -rw-r--r-- | usr/version.h | 2 |
4 files changed, 80 insertions, 13 deletions
@@ -1,3 +1,49 @@ +open-iscsi-2.1.2 - open-iscsi-2.1.3 + +Chris Leech (4): + iscsiadm buffer overflow regression when discovering many targets at once + check for header length underflow during checksum calculation + check for u8 overflow when processing TCP options + check for TCP urgent pointer past end of frame + +Gulam Mohamed (1): + iscsid: Poll timeout value to 1 minute for iscsid + +Khem Raj (1): + libopeniscsiusr: Compare with max int instead of max long + +Lee Duncan (4): + Add ability to attempt target logins asynchronously + Implement login "no_wait" for iscsiadm NODE mode + Updated iscsiadm man page. + iscsiadm: fix host stats mode coredump + +Wenchao Hao (15): + Fix memory leak in sysfs_get_str + iscsiadm: Optimize the the verification of mode paramters + Update .gitignore for cscope and gtags data base + iscsi_sysfs: Fix NULL pointer deference in iscsi_sysfs_read_iface + iscsi-iname: Verify open() return value before calling read() + iscsiuio: Fix invalid parameter when call fstat() + open-iscsi: Fix invalid pointer deference in find_initiator() + open-iscsi: Fix NULL pointer dereference in mgmt_ipc_read_req() + iscsi_net_util: Fix NULL pointer dereference in find_vlan_dev() + open-iscsi: Clean user_param list when process exit + fwparam_ppc: Fix NULL pointer dereference in find_devtree() + sysfs: Verify parameter of sysfs_device_get() + fwparam_ppc: Fix illegal memory access in fwparam_ppc.c + iscsiuio: Remove unused macro IFNAMSIZ defined in iscsid_ipc.c + fwparam_ppc: Fix memory leak in fwparam_ppc.c + +Yoshifumi Kinoshita (1): + iscsid: fix logging level when starting and shutting down daemon + +gulams (1): + iscsid: Check Invalid Session id for stop connection + +sonukumar159842@gmail.com (1): + TODO: Update to todo list. + open-iscsi-2.1.0 - open-iscsi-2.1.2 Christian Glombek (1): diff --git a/iscsiuio/src/uip/uip.c b/iscsiuio/src/uip/uip.c index e2ce2cc..e0a7221 100644 --- a/iscsiuio/src/uip/uip.c +++ b/iscsiuio/src/uip/uip.c @@ -316,7 +316,13 @@ static u16_t upper_layer_chksum_ipv4(struct uip_stack *ustack, u8_t proto) tcp_ipv4_hdr = (struct uip_tcp_ipv4_hdr *)ustack->network_layer; upper_layer_len = (((u16_t) (tcp_ipv4_hdr->len[0]) << 8) + - tcp_ipv4_hdr->len[1]) - UIP_IPv4_H_LEN; + tcp_ipv4_hdr->len[1]); + /* check for underflow from an invalid length field */ + if (upper_layer_len < UIP_IPv4_H_LEN) { + /* return 0 as an invalid checksum */ + return 0; + } + upper_layer_len -= UIP_IPv4_H_LEN; /* First sum pseudoheader. */ /* IP protocol and length fields. This addition cannot carry. */ @@ -1789,16 +1795,18 @@ found_listen: } else { /* All other options have a length field, so that we easily can skip past them. */ - if (ustack-> - uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + - c] == 0) { + if (ustack->uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + c] == 0) { /* If the length field is zero, the options are malformed and we don't process them further. */ break; } - c += ustack->uip_buf[uip_ip_tcph_len + - UIP_LLH_LEN + 1 + c]; + if ((ustack->uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + c]) > (256 - c)) { + /* u8 overflow, actually there should + * never be more than 40 bytes of options */ + break; + } + c += ustack->uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + c]; } } } @@ -2004,6 +2012,14 @@ found: further. */ break; } + if ((ustack->uip_buf[uip_ip_tcph_len + + UIP_LLH_LEN + 1 + + c]) > (256 - c)) { + /* u8 overflow, actually there should + * never be more than 40 bytes of + * options */ + break; + } c += ustack-> uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + @@ -2079,11 +2095,16 @@ tcp_send_finack: } else { uip_urglen = 0; #else /* UIP_URGDATA > 0 */ - ustack->uip_appdata = - ((char *)ustack->uip_appdata) + - ((tcp_hdr->urgp[0] << 8) | tcp_hdr->urgp[1]); - ustack->uip_len -= - (tcp_hdr->urgp[0] << 8) | tcp_hdr->urgp[1]; + tmp16 = (tcp_hdr->urgp[0] << 8) | tcp_hdr->urgp[1]; + if (tmp16 <= ustack->uip_len) { + ustack->uip_appdata = ((char *)ustack->uip_appdata) + tmp16; + ustack->uip_len -= tmp16; + } else { + /* invalid urgent pointer length greater than frame */ + /* we're discarding urgent data anyway, throw it all out */ + ustack->uip_appdata = ((char *)ustack->uip_appdata) + ustack->uip_len; + ustack->uip_len = 0; + } #endif /* UIP_URGDATA > 0 */ } diff --git a/libopeniscsiusr/version.h b/libopeniscsiusr/version.h index 97031b0..62ecf81 100644 --- a/libopeniscsiusr/version.h +++ b/libopeniscsiusr/version.h @@ -25,6 +25,6 @@ * This may not be the same value as the kernel versions because * some other maintainer could merge a patch without going through us */ -#define ISCSI_VERSION_STR "2.1.2" +#define ISCSI_VERSION_STR "2.1.3" #endif /* End of __ISCSI_OPEN_USR_VERSION_H__ */ diff --git a/usr/version.h b/usr/version.h index 115a11c..a832419 100644 --- a/usr/version.h +++ b/usr/version.h @@ -6,7 +6,7 @@ * This may not be the same value as the kernel versions because * some other maintainer could merge a patch without going through us */ -#define ISCSI_VERSION_STR "2.1.2" +#define ISCSI_VERSION_STR "2.1.3" #define ISCSI_VERSION_FILE "/sys/module/scsi_transport_iscsi/version" #endif |