From 59ede2cf4eee8729a4221000a5d1ecdd312a31ac Mon Sep 17 00:00:00 2001

From: Lee Duncan <lduncan@suse.com>

Date: Fri, 15 Dec 2017 11:21:15 -0800

Subject: [PATCH] Check iscsiuio ping data length for validity

We do not trust that the received ping packet data length

is correct, so sanity check it. Found by Qualsys.

---

 iscsiuio/src/unix/iscsid_ipc.c | 5 +++++

 iscsiuio/src/unix/packet.c     | 2 +-

 iscsiuio/src/unix/packet.h     | 2 ++

 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c

index 4e3d065667c9..d4322350fcf6 100644

--- a/iscsiuio/src/unix/iscsid_ipc.c

+++ b/iscsiuio/src/unix/iscsid_ipc.c

@@ -328,6 +328,11 @@ static void *perform_ping(void *arg)

 	data = (iscsid_uip_broadcast_t *)png_c->data;

 	datalen = data->u.ping_rec.datalen;

+	if ((datalen > STD_MTU_SIZE) || (datalen < 0)) {

+		LOG_ERR(PFX "Ping datalen invalid: %d", datalen);

+		rc = -EINVAL;

+		goto ping_done;

+	}

 	memset(dst_addr, 0, sizeof(uip_ip6addr_t));

 	if (nic_iface->protocol == AF_INET) {

diff --git a/iscsiuio/src/unix/packet.c b/iscsiuio/src/unix/packet.c

index ecea09bedc22..3ce2c6b623e0 100644

--- a/iscsiuio/src/unix/packet.c

+++ b/iscsiuio/src/unix/packet.c

@@ -112,7 +112,7 @@ int alloc_free_queue(nic_t *nic, size_t num_of_packets)

 	for (i = 0; i < num_of_packets; i++) {

 		packet_t *pkt;

-		pkt = alloc_packet(1500, 1500);

+		pkt = alloc_packet(STD_MTU_SIZE, STD_MTU_SIZE);

 		if (pkt == NULL) {

 			goto done;

 		}

diff --git a/iscsiuio/src/unix/packet.h b/iscsiuio/src/unix/packet.h

index b63d68851bb4..19d1db912d18 100644

--- a/iscsiuio/src/unix/packet.h

+++ b/iscsiuio/src/unix/packet.h

@@ -43,6 +43,8 @@

 #include "nic.h"

+#define	STD_MTU_SIZE	1500

+

 struct nic;

 struct nic_interface;

-- 

2.17.2