Blame SOURCES/0504-iscsiadm-buffer-overflow-regression-when-discovering.patch
|
 |
0e8382 |
From f1ad38e255da86e92003c63ae2927a64a8bce953 Mon Sep 17 00:00:00 2001
|
|
|
0e8382 |
From: Chris Leech <cleech@redhat.com>
|
|
|
0e8382 |
Date: Mon, 14 Sep 2020 14:09:56 -0700
|
|
|
0e8382 |
Subject: [PATCH 1/1] iscsiadm buffer overflow regression when discovering many
|
|
|
0e8382 |
targets at once
|
|
|
0e8382 |
|
|
|
0e8382 |
int_list type didn't zero the output string, so as the rec struct was reused
|
|
|
0e8382 |
repeatedly during discovery it would keep growing with repeated values
|
|
|
0e8382 |
triggering a strcat buffer overflow
|
|
|
0e8382 |
---
|
|
|
0e8382 |
usr/idbm.c | 1 +
|
|
|
0e8382 |
1 file changed, 1 insertion(+)
|
|
|
0e8382 |
|
|
|
0e8382 |
diff --git a/usr/idbm.c b/usr/idbm.c
|
|
|
0e8382 |
index 8d80b33..0862d29 100644
|
|
|
0e8382 |
--- a/usr/idbm.c
|
|
|
0e8382 |
+++ b/usr/idbm.c
|
|
|
0e8382 |
@@ -168,6 +168,7 @@ static struct idbm *db;
|
|
|
0e8382 |
#define __recinfo_int_list(_key,_info,_rec,_name,_show,_tbl,_n,_mod) do { \
|
|
|
0e8382 |
_info[_n].type = TYPE_INT_LIST; \
|
|
|
0e8382 |
strlcpy(_info[_n].name, _key, NAME_MAXVAL); \
|
|
|
0e8382 |
+ _info[_n].value[0] = '\0'; \
|
|
|
0e8382 |
for(int _i = 0; _i < ARRAY_LEN(_rec->_name); _i++) { \
|
|
|
0e8382 |
if (_rec->_name[_i] != ~0) { \
|
|
|
0e8382 |
for (int _j = 0; _j < ARRAY_LEN(_tbl); _j++) { \
|
|
|
0e8382 |
--
|
|
|
0e8382 |
2.26.2
|
|
|
0e8382 |
|