[dm-devel] [PATCH 3/6] libmpathpersist: fix stack overflow in mpath_format_readfullstatus()

[Martin Wilck]

Some storage arrays return corrupt data in response to READ FULL STATUS
PRIN commands. This may lead to stack overflow if the values aren't
sanitized.

Signed-off-by: Martin Wilck <mwilck at suse.com>
---
 libmpathpersist/mpath_pr_ioctl.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/libmpathpersist/mpath_pr_ioctl.c b/libmpathpersist/mpath_pr_ioctl.c
index bcbb9691..347f21b2 100644
--- a/libmpathpersist/mpath_pr_ioctl.c
+++ b/libmpathpersist/mpath_pr_ioctl.c
@@ -241,6 +241,13 @@ void mpath_format_readfullstatus(struct prin_resp *pr_buff, int len, int noisy)
 		fdesc.rtpi = get_unaligned_be16(&p[18]);
 
 		tid_len_len = get_unaligned_be32(&p[20]);
+		if (tid_len_len + 24 + k >= additional_length) {
+			condlog(0,
+				"%s: corrupt PRIN response: status descriptor end %d exceeds length %d",
+				__func__, tid_len_len + k + 24,
+				additional_length);
+			tid_len_len = additional_length - k - 24;
+		}
 
 		if (tid_len_len > 0)
 			decode_transport_id( &fdesc, &p[24], tid_len_len);
@@ -272,6 +279,8 @@ decode_transport_id(struct prin_fulldescr *fdesc, unsigned char * p, int length)
 			break;
 		case MPATH_PROTOCOL_ID_ISCSI:
 			num = get_unaligned_be16(&p[2]);
+			if (num >= sizeof(fdesc->trnptid.iscsi_name))
+				num = sizeof(fdesc->trnptid.iscsi_name);
 			memcpy(&fdesc->trnptid.iscsi_name, &p[4], num);
 			jump = (((num + 4) < 24) ? 24 : num + 4);
 			break;
-- 
2.17.1