diff options
author | Chris Leech <cleech@redhat.com> | 2020-09-14 14:09:56 -0700 |
---|---|---|
committer | Chris Leech <cleech@redhat.com> | 2020-09-17 09:55:00 -0700 |
commit | 0c032f5f4f826199868099f0af10c4a913209573 (patch) | |
tree | df2194b31dae4510ec83e8edd4a631cd1053ca6c /usr | |
parent | e89ffb2a81a000471fe6b558d93a4437656b30f9 (diff) | |
download | open-iscsi-0c032f5f4f826199868099f0af10c4a913209573.tar.gz |
iscsiadm buffer overflow regression when discovering many targets at once
int_list type didn't zero the output string, so as the rec struct was reused
repeatedly during discovery it would keep growing with repeated values
triggering a strcat buffer overflow
Diffstat (limited to 'usr')
-rw-r--r-- | usr/idbm.c | 1 |
1 files changed, 1 insertions, 0 deletions
@@ -169,6 +169,7 @@ static struct idbm *db; #define __recinfo_int_list(_key,_info,_rec,_name,_show,_tbl,_n,_mod) do { \ _info[_n].type = TYPE_INT_LIST; \ strlcpy(_info[_n].name, _key, NAME_MAXVAL); \ + _info[_n].value[0] = '\0'; \ for (unsigned long _i = 0; _i < ARRAY_LEN(_rec->_name); _i++) { \ if (_rec->_name[_i] != (unsigned)~0) { \ for (unsigned long _j = 0; _j < ARRAY_LEN(_tbl); _j++) { \ |