[PATCH] Fix memory corruption in iscsi_handle_text_cmd()
Nicholas A. Bellinger
I was able to locate the issue with iSCSI in-band SendTargets discovery
that was causing an issue with CONFIG_SLUB. This ended up being memory
corruption in iscsi_handle_text_cmd(), for which the bugfix is below and
also located and fixed two memory leaks on the exception path. Here is
the patch.
Bart, this is now passing the 1000 iteration loop for iscsiadm
discovery. I am now going to test out SE I/O to PSCSI and RAMDISK_DR
and make sure everything is OK before I hand it off to you. If all
looks good, I am going to update the Ubuntu repos on Linux-iSCSI.org,
and then update the JeOS LIO-VMs.
Many thanks for your most valuable of time,
--nab
Index: target/iscsi_target.c
===================================================================
--- target/iscsi_target.c (revision 249)
+++ target/iscsi_target.c (revision 250)
@@ -2529,6 +2529,7 @@
TRACE_ERROR("Unable to recover from"
" Text Data digest failure while in"
" ERL=0.\n");
+ kfree(text_in);
return(-1);
} else {
/*
@@ -2538,6 +2539,7 @@
TRACE(TRACE_ERL1, "Dropping Text"
" Command CmdSN: 0x%08x due to"
" DataCRC error.\n", hdr->cmd_sn);
+ kfree(text_in);
return(0);
}
} else {
@@ -2546,7 +2548,7 @@
checksum, text_length);
}
}
- text_in[text_length] = '\0';
+ text_in[text_length - 1] = '\0';
TRACE(TRACE_ISCSI, "Successfully read %d bytes of text"
" data.\n", text_length);