From 59ede2cf4eee8729a4221000a5d1ecdd312a31ac Mon Sep 17 00:00:00 2001
From: Lee Duncan <lduncan@suse.com>
Date: Fri, 15 Dec 2017 11:21:15 -0800
Subject: [PATCH] Check iscsiuio ping data length for validity

We do not trust that the received ping packet data length
is correct, so sanity check it. Found by Qualsys.
---
 iscsiuio/src/unix/iscsid_ipc.c | 5 +++++
 iscsiuio/src/unix/packet.c     | 2 +-
 iscsiuio/src/unix/packet.h     | 2 ++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c
index 4e3d065667c9..d4322350fcf6 100644
--- a/iscsiuio/src/unix/iscsid_ipc.c
+++ b/iscsiuio/src/unix/iscsid_ipc.c
@@ -328,6 +328,11 @@ static void *perform_ping(void *arg)
 
 	data = (iscsid_uip_broadcast_t *)png_c->data;
 	datalen = data->u.ping_rec.datalen;
+	if ((datalen > STD_MTU_SIZE) || (datalen < 0)) {
+		LOG_ERR(PFX "Ping datalen invalid: %d", datalen);
+		rc = -EINVAL;
+		goto ping_done;
+	}
 
 	memset(dst_addr, 0, sizeof(uip_ip6addr_t));
 	if (nic_iface->protocol == AF_INET) {
diff --git a/iscsiuio/src/unix/packet.c b/iscsiuio/src/unix/packet.c
index ecea09bedc22..3ce2c6b623e0 100644
--- a/iscsiuio/src/unix/packet.c
+++ b/iscsiuio/src/unix/packet.c
@@ -112,7 +112,7 @@ int alloc_free_queue(nic_t *nic, size_t num_of_packets)
 	for (i = 0; i < num_of_packets; i++) {
 		packet_t *pkt;
 
-		pkt = alloc_packet(1500, 1500);
+		pkt = alloc_packet(STD_MTU_SIZE, STD_MTU_SIZE);
 		if (pkt == NULL) {
 			goto done;
 		}
diff --git a/iscsiuio/src/unix/packet.h b/iscsiuio/src/unix/packet.h
index b63d68851bb4..19d1db912d18 100644
--- a/iscsiuio/src/unix/packet.h
+++ b/iscsiuio/src/unix/packet.h
@@ -43,6 +43,8 @@
 
 #include "nic.h"
 
+#define	STD_MTU_SIZE	1500
+
 struct nic;
 struct nic_interface;
 
-- 
2.17.2