From b9c33683bdc0aed28ffe31c3f3d50bf5cdf519ea Mon Sep 17 00:00:00 2001
From: Lee Duncan <lduncan@suse.com>
Date: Fri, 15 Dec 2017 10:37:56 -0800
Subject: [PATCH] iscsiuio should ignore bogus iscsid broadcast packets
When iscsiuio is receiving broadcast packets from iscsid,
if the 'payload_len', carried in the packet, is too
large then ignore the packet and print a message.
Found by Qualsys.
---
iscsiuio/src/unix/iscsid_ipc.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c
index 64762654c523..b5d7051b0558 100644
--- a/iscsiuio/src/unix/iscsid_ipc.c
+++ b/iscsiuio/src/unix/iscsid_ipc.c
@@ -945,6 +945,12 @@ int process_iscsid_broadcast(int s2)
cmd = data->header.command;
payload_len = data->header.payload_len;
+ if (payload_len > sizeof(data->u)) {
+ LOG_ERR(PFX "Data payload length too large (%d). Corrupt payload?",
+ payload_len);
+ rc = -EINVAL;
+ goto error;
+ }
LOG_DEBUG(PFX "recv iscsid request: cmd: %d, payload_len: %d",
cmd, payload_len);
--
2.17.2