Re: [PATCH v3] scsi: target: iscsi: reject invalid size Extended CDB AHS

Next message: Wei Yang: "[PATCH] skip overlap region higher level"
Previous message: Wei Yang: "Re: [PATCH v4 1/2] mm: move overlap memory map init check to memmap_init()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Martin K. Petersen

Date: Tue Apr 21 2026 - 21:11:59 EST

Carlos,

> If ecdb_ahdr->ahslength is zero, two bugs follow:
>
> kmalloc(be16_to_cpu(ecdb_ahdr->ahslength) + 15, ...)
>
> allocates 15 bytes, but the immediately following memcpy writes
> ISCSI_CDB_SIZE (16) bytes into it, a one-byte heap overflow. Also:

Applied to 7.1/scsi-staging, thanks!

--
Martin K. Petersen