Overview

File CVE-2016-5126-qemuu-buffer-overflow-in-iscsi_aio_ioctl.patch of Package xen.4507

References: bsc#982286 CVE-2016-5126

From: 	Peter Lieven
Subject: 	[Qemu-block] [PATCH] block/iscsi: avoid potential overflow of acb->task->cdb
Date: 	Tue, 24 May 2016 10:59:28 +0200

at least in the path via virtio-blk the maximum size is not
restricted.

Cc: address@hidden
Signed-off-by: Peter Lieven <address@hidden>
---
 block/iscsi.c | 7 +++++++
 1 file changed, 7 insertions(+)

Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/block/iscsi.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/block/iscsi.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/block/iscsi.c
@@ -719,6 +719,13 @@ static BlockDriverAIOCB *iscsi_aio_ioctl
     acb->buf         = NULL;
     acb->ioh         = buf;
 
+    if (acb->ioh->cmd_len > SCSI_CDB_MAX_SIZE) {
+        error_report("iSCSI: ioctl error CDB exceeds max size (%d > %d)",
+                     acb->ioh->cmd_len, SCSI_CDB_MAX_SIZE);
+        qemu_aio_unref(acb);
+        return NULL;
+    }
+
     acb->task = malloc(sizeof(struct scsi_task));
     if (acb->task == NULL) {
         error_report("iSCSI: Failed to allocate task for scsi command. %s",
openSUSE Build Service is sponsored by
Places