iscsi-initiator-utils: CVE-2017-17840

Backport CVE patches from the github upstream: https://github.com/open-iscsi/open-iscsi commit as follows: e313bd648a4c8a9526421e270eb597a5de1e0c7f b9c33683bdc0aed28ffe31c3f3d50bf5cdf519ea be58eed849f5457bb49b79e94aa6a26971ba6deb 5504053cc08df38d8d85032fa1691e363dfcfb92 85f647c4300a888bb6cbc27f33138549cab617e3 a7a96131bd2ea342f6def0e46be514baf8037ae8 59ede2cf4eee8729a4221000a5d1ecdd312a31ac https://nvd.nist.gov/vuln/detail/CVE-2017-17840 A local attacker can cause the iscsiuio server to abort or potentially execute code by sending messages with incorrect lengths, which (due to lack of checking) can lead to buffer overflows, and result in aborts (with overflow checking enabled) or code execution. The process_iscsid_broadcast function in iscsiuio/src/unix/iscsid_ipc.c does not validate the payload length before a write operation Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
author: Zhixiong Chi <zhixiong.chi@windriver.com> 2018-01-04 02:52:14 -0800
committer: Joe MacDonald <joe_macdonald@mentor.com> 2018-02-04 19:18:40 -0500
commit: fdd3c62df9f4cb4e263aca4ab426ae9f88b29912 (patch)
tree: f372b2e621c980d7c44b41bef2c0a74526d92ba3 /meta-networking/recipes-daemons
parent: 99aa19ff53922b61dee0c8b63ee7f664f90e9a91 (diff)
download: meta-openembedded-fdd3c62df9f4cb4e263aca4ab426ae9f88b29912.tar.gz
8 files changed, 463 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0001-Check-for-root-peer-user-for-iscsiuio-IPC.patch b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0001-Check-for-root-peer-user-for-iscsiuio-IPC.patch
new file mode 100644
index 0000000000..2fd5c08a1c
--- /dev/null
+++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0001-Check-for-root-peer-user-for-iscsiuio-IPC.patch
@@ -0,0 +1,135 @@
+From eb516ac5f9dddc80564f6becee08a0011e7aa58b Mon Sep 17 00:00:00 2001
+From: Lee Duncan <lduncan@suse.com>
+Date: Fri, 15 Dec 2017 10:36:11 -0800
+Subject: [PATCH 1/7] Check for root peer user for iscsiuio IPC
+This fixes a possible vulnerability where a non-root
+process could connect with iscsiuio. Fouund by Qualsys.
+CVE: CVE-2017-17840
+Upstream-Status: Backport
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ iscsiuio/src/unix/Makefile.am  |  3 ++-
+ iscsiuio/src/unix/iscsid_ipc.c | 47 ++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 49 insertions(+), 1 deletion(-)
+diff --git a/iscsiuio/src/unix/Makefile.am b/iscsiuio/src/unix/Makefile.am
+index 71d5463..a989ef0 100644
+--- a/iscsiuio/src/unix/Makefile.am
+++ b/iscsiuio/src/unix/Makefile.am
+@@ -20,7 +20,8 @@ iscsiuio_SOURCES =    build_date.c            \
+                        nic_utils.c             \
+                        packet.c                \
+                        iscsid_ipc.c            \
+-                       ping.c
+                       ping.c                  \
+                       ${top_srcdir}/../utils/sysdeps/sysdeps.c
+ 
+ iscsiuio_CFLAGS =      $(AM_CFLAGS)            \
+                        $(LIBNL_CFLAGS)         \
+diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c
+index a2a59a8..08e49e5 100644
+--- a/iscsiuio/src/unix/iscsid_ipc.c
+++ b/iscsiuio/src/unix/iscsid_ipc.c
+@@ -37,6 +37,8 @@
+  *
+  */
+ 
+#define _GNU_SOURCE
+
+ #include <errno.h>
+ #include <pthread.h>
+ #include <signal.h>
+@@ -47,6 +49,8 @@
+ #include <sys/socket.h>
+ #include <sys/time.h>
+ #include <sys/un.h>
+#include <sys/types.h>
+#include <pwd.h>
+ 
+ #define PFX "iscsi_ipc "
+ 
+@@ -61,6 +65,7 @@
+ #include "iscsid_ipc.h"
+ #include "uip.h"
+ #include "uip_mgmt_ipc.h"
+#include "sysdeps.h"
+ 
+ #include "logger.h"
+ #include "uip.h"
+@@ -102,6 +107,7 @@ struct iface_rec_decode {
+        uint16_t                mtu;
+ };
+ 
+#define PEERUSER_MAX   64
+ 
+ /******************************************************************************
+  *  iscsid_ipc Constants
+@@ -1029,6 +1035,40 @@ static void iscsid_loop_close(void *arg)
+        LOG_INFO(PFX "iSCSI daemon socket closed");
+ }
+ 
+/*
+ * check that the peer user is privilidged
+ *
+ * return 1 if peer is ok else 0
+ *
+ * XXX: this function is copied from iscsid_ipc.c and should be
+ * moved into a common library
+ */
+static int
+mgmt_peeruser(int sock, char *user)
+{
+       struct ucred peercred;
+       socklen_t so_len = sizeof(peercred);
+       struct passwd *pass;
+
+       errno = 0;
+       if (getsockopt(sock, SOL_SOCKET, SO_PEERCRED, &peercred,
+               &so_len) != 0 || so_len != sizeof(peercred)) {
+               /* We didn't get a valid credentials struct. */
+               LOG_ERR(PFX "peeruser_unux: error receiving credentials: %m");
+               return 0;
+       }
+
+       pass = getpwuid(peercred.uid);
+       if (pass == NULL) {
+               LOG_ERR(PFX "peeruser_unix: unknown local user with uid %d",
+                               (int) peercred.uid);
+               return 0;
+       }
+
+       strlcpy(user, pass->pw_name, PEERUSER_MAX);
+       return 1;
+}
+
+ /**
+  *  iscsid_loop() - This is the function which will process the broadcast
+  *                  messages from iscsid
+@@ -1038,6 +1078,7 @@ static void *iscsid_loop(void *arg)
+ {
+        int rc;
+        sigset_t set;
+       char user[PEERUSER_MAX];
+ 
+        pthread_cleanup_push(iscsid_loop_close, arg);
+ 
+@@ -1077,6 +1118,12 @@ static void *iscsid_loop(void *arg)
+                        continue;
+                }
+ 
+               if (!mgmt_peeruser(iscsid_opts.fd, user) || strncmp(user, "root", PEERUSER_MAX)) {
+                       close(s2);
+                       LOG_ERR(PFX "Access error: non-administrative connection rejected");
+                       break;
+               }
+
+                process_iscsid_broadcast(s2);
+                close(s2);
+        }
+-- 
+1.9.1
diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0002-iscsiuio-should-ignore-bogus-iscsid-broadcast-packet.patch b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0002-iscsiuio-should-ignore-bogus-iscsid-broadcast-packet.patch
new file mode 100644
index 0000000000..1f5202ec02
--- /dev/null
+++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0002-iscsiuio-should-ignore-bogus-iscsid-broadcast-packet.patch
@@ -0,0 +1,39 @@
+From 035bb16845537351e1bccb16d38981754fd53129 Mon Sep 17 00:00:00 2001
+From: Lee Duncan <lduncan@suse.com>
+Date: Fri, 15 Dec 2017 10:37:56 -0800
+Subject: [PATCH 2/7] iscsiuio should ignore bogus iscsid broadcast packets
+When iscsiuio is receiving broadcast packets from iscsid,
+if the 'payload_len', carried in the packet, is too
+large then ignore the packet and print a message.
+Found by Qualsys.
+CVE: CVE-2017-17840
+Upstream-Status: Backport
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ iscsiuio/src/unix/iscsid_ipc.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c
+index 08e49e5..dfdae63 100644
+--- a/iscsiuio/src/unix/iscsid_ipc.c
+++ b/iscsiuio/src/unix/iscsid_ipc.c
+@@ -950,6 +950,12 @@ int process_iscsid_broadcast(int s2)
+ 
+        cmd = data->header.command;
+        payload_len = data->header.payload_len;
+       if (payload_len > sizeof(data->u)) {
+               LOG_ERR(PFX "Data payload length too large (%d). Corrupt payload?",
+                               payload_len);
+               rc = -EINVAL;
+               goto error;
+       }
+ 
+        LOG_DEBUG(PFX "recv iscsid request: cmd: %d, payload_len: %d",
+                  cmd, payload_len);
+-- 
+1.9.1
diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0003-Ensure-all-fields-in-iscsiuio-IPC-response-are-set.patch b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0003-Ensure-all-fields-in-iscsiuio-IPC-response-are-set.patch
new file mode 100644
index 0000000000..825083b741
--- /dev/null
+++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0003-Ensure-all-fields-in-iscsiuio-IPC-response-are-set.patch
@@ -0,0 +1,34 @@
+From 81d3106cf8f09c79fe20ad7d234d7e1dda27bddb Mon Sep 17 00:00:00 2001
+From: Lee Duncan <lduncan@suse.com>
+Date: Fri, 15 Dec 2017 11:11:17 -0800
+Subject: [PATCH 3/7] Ensure all fields in iscsiuio IPC response are set
+Make sure all fields in the response strcuture are set,
+or info from the stack can be leaked to our caller.
+Found by Qualsys.
+CVE: CVE-2017-17840
+Upstream-Status: Backport
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ iscsiuio/src/unix/iscsid_ipc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c
+index dfdae63..61e96cc 100644
+--- a/iscsiuio/src/unix/iscsid_ipc.c
+++ b/iscsiuio/src/unix/iscsid_ipc.c
+@@ -960,6 +960,8 @@ int process_iscsid_broadcast(int s2)
+        LOG_DEBUG(PFX "recv iscsid request: cmd: %d, payload_len: %d",
+                  cmd, payload_len);
+ 
+       memset(&rsp, 0, sizeof(rsp));
+
+        switch (cmd) {
+        case ISCSID_UIP_IPC_GET_IFACE:
+                size = fread(&data->u.iface_rec, payload_len, 1, fd);
+-- 
+1.9.1
diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0004-Do-not-double-close-IPC-file-stream-to-iscsid.patch b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0004-Do-not-double-close-IPC-file-stream-to-iscsid.patch
new file mode 100644
index 0000000000..274722c231
--- /dev/null
+++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0004-Do-not-double-close-IPC-file-stream-to-iscsid.patch
@@ -0,0 +1,62 @@
+From 8167e5ce99682f64918a20966ce393cd33ac67ef Mon Sep 17 00:00:00 2001
+From: Lee Duncan <lduncan@suse.com>
+Date: Fri, 15 Dec 2017 11:13:29 -0800
+Subject: [PATCH 4/7] Do not double-close IPC file stream to iscsid
+A double-close of a file descriptor and its associated FILE stream
+can be an issue in multi-threaded cases. Found by Qualsys.
+CVE: CVE-2017-17840
+Upstream-Status: Backport
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ iscsiuio/src/unix/iscsid_ipc.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c
+index 61e96cc..bde8d66 100644
+--- a/iscsiuio/src/unix/iscsid_ipc.c
+++ b/iscsiuio/src/unix/iscsid_ipc.c
+@@ -913,6 +913,9 @@ early_exit:
+ /**
+  *  process_iscsid_broadcast() - This function is used to process the
+  *                               broadcast messages from iscsid
+ *
+ *                               s2 is an open file descriptor, which
+ *                               must not be left open upon return
+  */
+ int process_iscsid_broadcast(int s2)
+ {
+@@ -928,6 +931,7 @@ int process_iscsid_broadcast(int s2)
+        if (fd == NULL) {
+                LOG_ERR(PFX "Couldn't open file descriptor: %d(%s)",
+                        errno, strerror(errno));
+               close(s2);
+                return -EIO;
+        }
+ 
+@@ -1030,7 +1034,8 @@ int process_iscsid_broadcast(int s2)
+        }
+ 
+ error:
+-       free(data);
+       if (data)
+               free(data);
+        fclose(fd);
+ 
+        return rc;
+@@ -1132,8 +1137,8 @@ static void *iscsid_loop(void *arg)
+                        break;
+                }
+ 
+               /* this closes the file descriptor s2 */
+                process_iscsid_broadcast(s2);
+-               close(s2);
+        }
+ 
+        pthread_cleanup_pop(0);
+-- 
+1.9.1
diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0005-Ensure-strings-from-peer-are-copied-correctly.patch b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0005-Ensure-strings-from-peer-are-copied-correctly.patch
new file mode 100644
index 0000000000..b73b01120e
--- /dev/null
+++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0005-Ensure-strings-from-peer-are-copied-correctly.patch
@@ -0,0 +1,78 @@
+From c9fc86a50459776d9a7abb609f6503c57d69e034 Mon Sep 17 00:00:00 2001
+From: Lee Duncan <lduncan@suse.com>
+Date: Fri, 15 Dec 2017 11:15:26 -0800
+Subject: [PATCH 5/7] Ensure strings from peer are copied correctly.
+The method of using strlen() and strcpy()/strncpy() has
+a couple of holes. Do not try to measure the length of
+strings supplied from peer, and ensure copied strings are
+NULL-terminated. Use the new strlcpy() instead.
+Found by Qualsys.
+CVE: CVE-2017-17840
+Upstream-Status: Backport
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ iscsiuio/src/unix/iscsid_ipc.c | 24 ++++++------------------
+ 1 file changed, 6 insertions(+), 18 deletions(-)
+diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c
+index bde8d66..52ae8c6 100644
+--- a/iscsiuio/src/unix/iscsid_ipc.c
+++ b/iscsiuio/src/unix/iscsid_ipc.c
+@@ -152,10 +152,7 @@ static int decode_cidr(char *in_ipaddr_str, struct iface_rec_decode *ird)
+        struct in_addr ia;
+        struct in6_addr ia6;
+ 
+-       if (strlen(in_ipaddr_str) > NI_MAXHOST)
+-               strncpy(ipaddr_str, in_ipaddr_str, NI_MAXHOST);
+-       else
+-               strcpy(ipaddr_str, in_ipaddr_str);
+       strlcpy(ipaddr_str, in_ipaddr_str, NI_MAXHOST);
+ 
+        /* Find the CIDR if any */
+        tmp = strchr(ipaddr_str, '/');
+@@ -287,22 +284,16 @@ static int decode_iface(struct iface_rec_decode *ird, struct iface_rec *rec)
+ 
+                        /* For LL on, ignore the IPv6 addr in the iface */
+                        if (ird->linklocal_autocfg == IPV6_LL_AUTOCFG_OFF) {
+-                               if (strlen(rec->ipv6_linklocal) > NI_MAXHOST)
+-                                       strncpy(ipaddr_str, rec->ipv6_linklocal,
+-                                               NI_MAXHOST);
+-                               else
+-                                       strcpy(ipaddr_str, rec->ipv6_linklocal);
+                               strlcpy(ipaddr_str, rec->ipv6_linklocal,
+                                       NI_MAXHOST);
+                                inet_pton(AF_INET6, ipaddr_str,
+                                          &ird->ipv6_linklocal);
+                        }
+ 
+                        /* For RTR on, ignore the IPv6 addr in the iface */
+                        if (ird->router_autocfg == IPV6_RTR_AUTOCFG_OFF) {
+-                               if (strlen(rec->ipv6_router) > NI_MAXHOST)
+-                                       strncpy(ipaddr_str, rec->ipv6_router,
+-                                               NI_MAXHOST);
+-                               else
+-                                       strcpy(ipaddr_str, rec->ipv6_router);
+                               strlcpy(ipaddr_str, rec->ipv6_router,
+                                       NI_MAXHOST);
+                                inet_pton(AF_INET6, ipaddr_str,
+                                          &ird->ipv6_router);
+                        }
+@@ -316,10 +307,7 @@ static int decode_iface(struct iface_rec_decode *ird, struct iface_rec *rec)
+                                        calculate_default_netmask(
+                                                        ird->ipv4_addr.s_addr);
+ 
+-                       if (strlen(rec->gateway) > NI_MAXHOST)
+-                               strncpy(ipaddr_str, rec->gateway, NI_MAXHOST);
+-                       else
+-                               strcpy(ipaddr_str, rec->gateway);
+                       strlcpy(ipaddr_str, rec->gateway, NI_MAXHOST);
+                        inet_pton(AF_INET, ipaddr_str, &ird->ipv4_gateway);
+                }
+        } else {
+-- 
+1.9.1
diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0006-Skip-useless-strcopy-and-validate-CIDR-length.patch b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0006-Skip-useless-strcopy-and-validate-CIDR-length.patch
new file mode 100644
index 0000000000..0fa24cd10d
--- /dev/null
+++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0006-Skip-useless-strcopy-and-validate-CIDR-length.patch
@@ -0,0 +1,44 @@
+From a6efed7601c890ac051ad1425582ec67dbd3f5ff Mon Sep 17 00:00:00 2001
+From: Lee Duncan <lduncan@suse.com>
+Date: Fri, 15 Dec 2017 11:18:35 -0800
+Subject: [PATCH 6/7] Skip useless strcopy, and validate CIDR length
+Remove a useless strcpy() that copies a string onto itself,
+and ensure the CIDR length "keepbits" is not negative.
+Found by Qualsys.
+CVE: CVE-2017-17840
+Upstream-Status: Backport
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ iscsiuio/src/unix/iscsid_ipc.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c
+index 52ae8c6..85742da 100644
+--- a/iscsiuio/src/unix/iscsid_ipc.c
+++ b/iscsiuio/src/unix/iscsid_ipc.c
+@@ -148,7 +148,7 @@ static int decode_cidr(char *in_ipaddr_str, struct iface_rec_decode *ird)
+        char *tmp, *tok;
+        char ipaddr_str[NI_MAXHOST];
+        char str[INET6_ADDRSTRLEN];
+-       int keepbits = 0;
+       unsigned long keepbits = 0;
+        struct in_addr ia;
+        struct in6_addr ia6;
+ 
+@@ -161,8 +161,7 @@ static int decode_cidr(char *in_ipaddr_str, struct iface_rec_decode *ird)
+                tmp = ipaddr_str;
+                tok = strsep(&tmp, "/");
+                LOG_INFO(PFX "in cidr: bitmask '%s' ip '%s'", tmp, tok);
+-               keepbits = atoi(tmp);
+-               strcpy(ipaddr_str, tok);
+               keepbits = strtoull(tmp, NULL, 10);
+        }
+ 
+        /*  Determine if the IP address passed from the iface file is
+-- 
+1.9.1
diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch
new file mode 100644
index 0000000000..c63c0a8d56
--- /dev/null
+++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch
@@ -0,0 +1,64 @@
+From 5df60ad8b22194391af34c1a7e54776b0372ffed Mon Sep 17 00:00:00 2001
+From: Lee Duncan <lduncan@suse.com>
+Date: Fri, 15 Dec 2017 11:21:15 -0800
+Subject: [PATCH 7/7] Check iscsiuio ping data length for validity
+We do not trust that the received ping packet data length
+is correct, so sanity check it. Found by Qualsys.
+CVE: CVE-2017-17840
+Upstream-Status: Backport
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ iscsiuio/src/unix/iscsid_ipc.c | 5 +++++
+ iscsiuio/src/unix/packet.c     | 2 +-
+ iscsiuio/src/unix/packet.h     | 2 ++
+ 3 files changed, 8 insertions(+), 1 deletion(-)
+diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c
+index 85742da..a2caacc 100644
+--- a/iscsiuio/src/unix/iscsid_ipc.c
+++ b/iscsiuio/src/unix/iscsid_ipc.c
+@@ -333,6 +333,11 @@ static void *perform_ping(void *arg)
+ 
+        data = (iscsid_uip_broadcast_t *)png_c->data;
+        datalen = data->u.ping_rec.datalen;
+       if ((datalen > STD_MTU_SIZE) || (datalen < 0)) {
+               LOG_ERR(PFX "Ping datalen invalid: %d", datalen);
+               rc = -EINVAL;
+               goto ping_done;
+       }
+ 
+        memset(dst_addr, 0, sizeof(uip_ip6addr_t));
+        if (nic_iface->protocol == AF_INET) {
+diff --git a/iscsiuio/src/unix/packet.c b/iscsiuio/src/unix/packet.c
+index ecea09b..3ce2c6b 100644
+--- a/iscsiuio/src/unix/packet.c
+++ b/iscsiuio/src/unix/packet.c
+@@ -112,7 +112,7 @@ int alloc_free_queue(nic_t *nic, size_t num_of_packets)
+        for (i = 0; i < num_of_packets; i++) {
+                packet_t *pkt;
+ 
+-               pkt = alloc_packet(1500, 1500);
+               pkt = alloc_packet(STD_MTU_SIZE, STD_MTU_SIZE);
+                if (pkt == NULL) {
+                        goto done;
+                }
+diff --git a/iscsiuio/src/unix/packet.h b/iscsiuio/src/unix/packet.h
+index b63d688..19d1db9 100644
+--- a/iscsiuio/src/unix/packet.h
+++ b/iscsiuio/src/unix/packet.h
+@@ -43,6 +43,8 @@
+ 
+ #include "nic.h"
+ 
+#define        STD_MTU_SIZE    1500
+
+ struct nic;
+ struct nic_interface;
+ 
+-- 
+1.9.1
diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.0.874.bb b/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.0.874.bb
index 95848d0b33..6c4a867b52 100644
--- a/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.0.874.bb
+++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.0.874.bb
@@ -22,6 +22,13 @@ SRC_URI = "git://github.com/open-iscsi/open-iscsi \
    file://iscsi-initiator.service \
    file://iscsi-initiator-targets.service \
    file://set_initiatorname \
+    file://0001-Check-for-root-peer-user-for-iscsiuio-IPC.patch \
+    file://0002-iscsiuio-should-ignore-bogus-iscsid-broadcast-packet.patch \
+    file://0003-Ensure-all-fields-in-iscsiuio-IPC-response-are-set.patch \
+    file://0004-Do-not-double-close-IPC-file-stream-to-iscsid.patch \
+    file://0005-Ensure-strings-from-peer-are-copied-correctly.patch \
+    file://0006-Skip-useless-strcopy-and-validate-CIDR-length.patch \
+    file://0007-Check-iscsiuio-ping-data-length-for-validity.patch \
 "
 S = "${WORKDIR}/git"
author	Zhixiong Chi <zhixiong.chi@windriver.com>	2018-01-04 02:52:14 -0800
committer	Joe MacDonald <joe_macdonald@mentor.com>	2018-02-04 19:18:40 -0500
commit	fdd3c62df9f4cb4e263aca4ab426ae9f88b29912 (patch)
tree	f372b2e621c980d7c44b41bef2c0a74526d92ba3 /meta-networking/recipes-daemons
parent	99aa19ff53922b61dee0c8b63ee7f664f90e9a91 (diff)
download	meta-openembedded-fdd3c62df9f4cb4e263aca4ab426ae9f88b29912.tar.gz

diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0001-Check-for-root-peer-user-for-iscsiuio-IPC.patch b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0001-Check-for-root-peer-user-for-iscsiuio-IPC.patch new file mode 100644 index 0000000000..2fd5c08a1c --- /dev/null +++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0001-Check-for-root-peer-user-for-iscsiuio-IPC.patch
@@ -0,0 +1,135 @@
		1	From eb516ac5f9dddc80564f6becee08a0011e7aa58b Mon Sep 17 00:00:00 2001
		2	From: Lee Duncan <lduncan@suse.com>
		3	Date: Fri, 15 Dec 2017 10:36:11 -0800
		4	Subject: [PATCH 1/7] Check for root peer user for iscsiuio IPC
		5
		6	This fixes a possible vulnerability where a non-root
		7	process could connect with iscsiuio. Fouund by Qualsys.
		8
		9	CVE: CVE-2017-17840
		10
		11	Upstream-Status: Backport
		12
		13	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
		14	---
		15	iscsiuio/src/unix/Makefile.am \| 3 ++-
		16	iscsiuio/src/unix/iscsid_ipc.c \| 47 ++++++++++++++++++++++++++++++++++++++++++
		17	2 files changed, 49 insertions(+), 1 deletion(-)
		18
		19	diff --git a/iscsiuio/src/unix/Makefile.am b/iscsiuio/src/unix/Makefile.am
		20	index 71d5463..a989ef0 100644
		21	--- a/iscsiuio/src/unix/Makefile.am
		22	+++ b/iscsiuio/src/unix/Makefile.am
		23	@@ -20,7 +20,8 @@ iscsiuio_SOURCES = build_date.c \
		24	nic_utils.c \
		25	packet.c \
		26	iscsid_ipc.c \
		27	- ping.c
		28	+ ping.c \
		29	+ ${top_srcdir}/../utils/sysdeps/sysdeps.c
		30
		31	iscsiuio_CFLAGS = $(AM_CFLAGS) \
		32	$(LIBNL_CFLAGS) \
		33	diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c
		34	index a2a59a8..08e49e5 100644
		35	--- a/iscsiuio/src/unix/iscsid_ipc.c
		36	+++ b/iscsiuio/src/unix/iscsid_ipc.c
		37	@@ -37,6 +37,8 @@
		38	*
		39	*/
		40
		41	+#define _GNU_SOURCE
		42	+
		43	#include <errno.h>
		44	#include <pthread.h>
		45	#include <signal.h>
		46	@@ -47,6 +49,8 @@
		47	#include <sys/socket.h>
		48	#include <sys/time.h>
		49	#include <sys/un.h>
		50	+#include <sys/types.h>
		51	+#include <pwd.h>
		52
		53	#define PFX "iscsi_ipc "
		54
		55	@@ -61,6 +65,7 @@
		56	#include "iscsid_ipc.h"
		57	#include "uip.h"
		58	#include "uip_mgmt_ipc.h"
		59	+#include "sysdeps.h"
		60
		61	#include "logger.h"
		62	#include "uip.h"
		63	@@ -102,6 +107,7 @@ struct iface_rec_decode {
		64	uint16_t mtu;
		65	};
		66
		67	+#define PEERUSER_MAX 64
		68
		69	/******************************************************************************
		70	* iscsid_ipc Constants
		71	@@ -1029,6 +1035,40 @@ static void iscsid_loop_close(void *arg)
		72	LOG_INFO(PFX "iSCSI daemon socket closed");
		73	}
		74
		75	+/*
		76	+ * check that the peer user is privilidged
		77	+ *
		78	+ * return 1 if peer is ok else 0
		79	+ *
		80	+ * XXX: this function is copied from iscsid_ipc.c and should be
		81	+ * moved into a common library
		82	+ */
		83	+static int
		84	+mgmt_peeruser(int sock, char *user)
		85	+{
		86	+ struct ucred peercred;
		87	+ socklen_t so_len = sizeof(peercred);
		88	+ struct passwd *pass;
		89	+
		90	+ errno = 0;
		91	+ if (getsockopt(sock, SOL_SOCKET, SO_PEERCRED, &peercred,
		92	+ &so_len) != 0 \|\| so_len != sizeof(peercred)) {
		93	+ /* We didn't get a valid credentials struct. */
		94	+ LOG_ERR(PFX "peeruser_unux: error receiving credentials: %m");
		95	+ return 0;
		96	+ }
		97	+
		98	+ pass = getpwuid(peercred.uid);
		99	+ if (pass == NULL) {
		100	+ LOG_ERR(PFX "peeruser_unix: unknown local user with uid %d",
		101	+ (int) peercred.uid);
		102	+ return 0;
		103	+ }
		104	+
		105	+ strlcpy(user, pass->pw_name, PEERUSER_MAX);
		106	+ return 1;
		107	+}
		108	+
		109	/**
		110	* iscsid_loop() - This is the function which will process the broadcast
		111	* messages from iscsid
		112	@@ -1038,6 +1078,7 @@ static void iscsid_loop(void arg)
		113	{
		114	int rc;
		115	sigset_t set;
		116	+ char user[PEERUSER_MAX];
		117
		118	pthread_cleanup_push(iscsid_loop_close, arg);
		119
		120	@@ -1077,6 +1118,12 @@ static void iscsid_loop(void arg)
		121	continue;
		122	}
		123
		124	+ if (!mgmt_peeruser(iscsid_opts.fd, user) \|\| strncmp(user, "root", PEERUSER_MAX)) {
		125	+ close(s2);
		126	+ LOG_ERR(PFX "Access error: non-administrative connection rejected");
		127	+ break;
		128	+ }
		129	+
		130	process_iscsid_broadcast(s2);
		131	close(s2);
		132	}
		133	--
		134	1.9.1
		135


diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0002-iscsiuio-should-ignore-bogus-iscsid-broadcast-packet.patch b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0002-iscsiuio-should-ignore-bogus-iscsid-broadcast-packet.patch new file mode 100644 index 0000000000..1f5202ec02 --- /dev/null +++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0002-iscsiuio-should-ignore-bogus-iscsid-broadcast-packet.patch
@@ -0,0 +1,39 @@
		1	From 035bb16845537351e1bccb16d38981754fd53129 Mon Sep 17 00:00:00 2001
		2	From: Lee Duncan <lduncan@suse.com>
		3	Date: Fri, 15 Dec 2017 10:37:56 -0800
		4	Subject: [PATCH 2/7] iscsiuio should ignore bogus iscsid broadcast packets
		5
		6	When iscsiuio is receiving broadcast packets from iscsid,
		7	if the 'payload_len', carried in the packet, is too
		8	large then ignore the packet and print a message.
		9	Found by Qualsys.
		10
		11	CVE: CVE-2017-17840
		12
		13	Upstream-Status: Backport
		14
		15	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
		16	---
		17	iscsiuio/src/unix/iscsid_ipc.c \| 6 ++++++
		18	1 file changed, 6 insertions(+)
		19
		20	diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c
		21	index 08e49e5..dfdae63 100644
		22	--- a/iscsiuio/src/unix/iscsid_ipc.c
		23	+++ b/iscsiuio/src/unix/iscsid_ipc.c
		24	@@ -950,6 +950,12 @@ int process_iscsid_broadcast(int s2)
		25
		26	cmd = data->header.command;
		27	payload_len = data->header.payload_len;
		28	+ if (payload_len > sizeof(data->u)) {
		29	+ LOG_ERR(PFX "Data payload length too large (%d). Corrupt payload?",
		30	+ payload_len);
		31	+ rc = -EINVAL;
		32	+ goto error;
		33	+ }
		34
		35	LOG_DEBUG(PFX "recv iscsid request: cmd: %d, payload_len: %d",
		36	cmd, payload_len);
		37	--
		38	1.9.1
		39


diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0003-Ensure-all-fields-in-iscsiuio-IPC-response-are-set.patch b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0003-Ensure-all-fields-in-iscsiuio-IPC-response-are-set.patch new file mode 100644 index 0000000000..825083b741 --- /dev/null +++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0003-Ensure-all-fields-in-iscsiuio-IPC-response-are-set.patch
@@ -0,0 +1,34 @@
		1	From 81d3106cf8f09c79fe20ad7d234d7e1dda27bddb Mon Sep 17 00:00:00 2001
		2	From: Lee Duncan <lduncan@suse.com>
		3	Date: Fri, 15 Dec 2017 11:11:17 -0800
		4	Subject: [PATCH 3/7] Ensure all fields in iscsiuio IPC response are set
		5
		6	Make sure all fields in the response strcuture are set,
		7	or info from the stack can be leaked to our caller.
		8	Found by Qualsys.
		9
		10	CVE: CVE-2017-17840
		11
		12	Upstream-Status: Backport
		13
		14	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
		15	---
		16	iscsiuio/src/unix/iscsid_ipc.c \| 2 ++
		17	1 file changed, 2 insertions(+)
		18
		19	diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c
		20	index dfdae63..61e96cc 100644
		21	--- a/iscsiuio/src/unix/iscsid_ipc.c
		22	+++ b/iscsiuio/src/unix/iscsid_ipc.c
		23	@@ -960,6 +960,8 @@ int process_iscsid_broadcast(int s2)
		24	LOG_DEBUG(PFX "recv iscsid request: cmd: %d, payload_len: %d",
		25	cmd, payload_len);
		26
		27	+ memset(&rsp, 0, sizeof(rsp));
		28	+
		29	switch (cmd) {
		30	case ISCSID_UIP_IPC_GET_IFACE:
		31	size = fread(&data->u.iface_rec, payload_len, 1, fd);
		32	--
		33	1.9.1
		34


diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0004-Do-not-double-close-IPC-file-stream-to-iscsid.patch b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0004-Do-not-double-close-IPC-file-stream-to-iscsid.patch new file mode 100644 index 0000000000..274722c231 --- /dev/null +++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0004-Do-not-double-close-IPC-file-stream-to-iscsid.patch
@@ -0,0 +1,62 @@
		1	From 8167e5ce99682f64918a20966ce393cd33ac67ef Mon Sep 17 00:00:00 2001
		2	From: Lee Duncan <lduncan@suse.com>
		3	Date: Fri, 15 Dec 2017 11:13:29 -0800
		4	Subject: [PATCH 4/7] Do not double-close IPC file stream to iscsid
		5
		6	A double-close of a file descriptor and its associated FILE stream
		7	can be an issue in multi-threaded cases. Found by Qualsys.
		8
		9	CVE: CVE-2017-17840
		10
		11	Upstream-Status: Backport
		12
		13	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
		14	---
		15	iscsiuio/src/unix/iscsid_ipc.c \| 9 +++++++--
		16	1 file changed, 7 insertions(+), 2 deletions(-)
		17
		18	diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c
		19	index 61e96cc..bde8d66 100644
		20	--- a/iscsiuio/src/unix/iscsid_ipc.c
		21	+++ b/iscsiuio/src/unix/iscsid_ipc.c
		22	@@ -913,6 +913,9 @@ early_exit:
		23	/**
		24	* process_iscsid_broadcast() - This function is used to process the
		25	* broadcast messages from iscsid
		26	+ *
		27	+ * s2 is an open file descriptor, which
		28	+ * must not be left open upon return
		29	*/
		30	int process_iscsid_broadcast(int s2)
		31	{
		32	@@ -928,6 +931,7 @@ int process_iscsid_broadcast(int s2)
		33	if (fd == NULL) {
		34	LOG_ERR(PFX "Couldn't open file descriptor: %d(%s)",
		35	errno, strerror(errno));
		36	+ close(s2);
		37	return -EIO;
		38	}
		39
		40	@@ -1030,7 +1034,8 @@ int process_iscsid_broadcast(int s2)
		41	}
		42
		43	error:
		44	- free(data);
		45	+ if (data)
		46	+ free(data);
		47	fclose(fd);
		48
		49	return rc;
		50	@@ -1132,8 +1137,8 @@ static void iscsid_loop(void arg)
		51	break;
		52	}
		53
		54	+ /* this closes the file descriptor s2 */
		55	process_iscsid_broadcast(s2);
		56	- close(s2);
		57	}
		58
		59	pthread_cleanup_pop(0);
		60	--
		61	1.9.1
		62


diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0005-Ensure-strings-from-peer-are-copied-correctly.patch b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0005-Ensure-strings-from-peer-are-copied-correctly.patch new file mode 100644 index 0000000000..b73b01120e --- /dev/null +++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0005-Ensure-strings-from-peer-are-copied-correctly.patch
@@ -0,0 +1,78 @@
		1	From c9fc86a50459776d9a7abb609f6503c57d69e034 Mon Sep 17 00:00:00 2001
		2	From: Lee Duncan <lduncan@suse.com>
		3	Date: Fri, 15 Dec 2017 11:15:26 -0800
		4	Subject: [PATCH 5/7] Ensure strings from peer are copied correctly.
		5
		6	The method of using strlen() and strcpy()/strncpy() has
		7	a couple of holes. Do not try to measure the length of
		8	strings supplied from peer, and ensure copied strings are
		9	NULL-terminated. Use the new strlcpy() instead.
		10	Found by Qualsys.
		11
		12	CVE: CVE-2017-17840
		13
		14	Upstream-Status: Backport
		15
		16	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
		17	---
		18	iscsiuio/src/unix/iscsid_ipc.c \| 24 ++++++------------------
		19	1 file changed, 6 insertions(+), 18 deletions(-)
		20
		21	diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c
		22	index bde8d66..52ae8c6 100644
		23	--- a/iscsiuio/src/unix/iscsid_ipc.c
		24	+++ b/iscsiuio/src/unix/iscsid_ipc.c
		25	@@ -152,10 +152,7 @@ static int decode_cidr(char in_ipaddr_str, struct iface_rec_decode ird)
		26	struct in_addr ia;
		27	struct in6_addr ia6;
		28
		29	- if (strlen(in_ipaddr_str) > NI_MAXHOST)
		30	- strncpy(ipaddr_str, in_ipaddr_str, NI_MAXHOST);
		31	- else
		32	- strcpy(ipaddr_str, in_ipaddr_str);
		33	+ strlcpy(ipaddr_str, in_ipaddr_str, NI_MAXHOST);
		34
		35	/* Find the CIDR if any */
		36	tmp = strchr(ipaddr_str, '/');
		37	@@ -287,22 +284,16 @@ static int decode_iface(struct iface_rec_decode ird, struct iface_rec rec)
		38
		39	/* For LL on, ignore the IPv6 addr in the iface */
		40	if (ird->linklocal_autocfg == IPV6_LL_AUTOCFG_OFF) {
		41	- if (strlen(rec->ipv6_linklocal) > NI_MAXHOST)
		42	- strncpy(ipaddr_str, rec->ipv6_linklocal,
		43	- NI_MAXHOST);
		44	- else
		45	- strcpy(ipaddr_str, rec->ipv6_linklocal);
		46	+ strlcpy(ipaddr_str, rec->ipv6_linklocal,
		47	+ NI_MAXHOST);
		48	inet_pton(AF_INET6, ipaddr_str,
		49	&ird->ipv6_linklocal);
		50	}
		51
		52	/* For RTR on, ignore the IPv6 addr in the iface */
		53	if (ird->router_autocfg == IPV6_RTR_AUTOCFG_OFF) {
		54	- if (strlen(rec->ipv6_router) > NI_MAXHOST)
		55	- strncpy(ipaddr_str, rec->ipv6_router,
		56	- NI_MAXHOST);
		57	- else
		58	- strcpy(ipaddr_str, rec->ipv6_router);
		59	+ strlcpy(ipaddr_str, rec->ipv6_router,
		60	+ NI_MAXHOST);
		61	inet_pton(AF_INET6, ipaddr_str,
		62	&ird->ipv6_router);
		63	}
		64	@@ -316,10 +307,7 @@ static int decode_iface(struct iface_rec_decode ird, struct iface_rec rec)
		65	calculate_default_netmask(
		66	ird->ipv4_addr.s_addr);
		67
		68	- if (strlen(rec->gateway) > NI_MAXHOST)
		69	- strncpy(ipaddr_str, rec->gateway, NI_MAXHOST);
		70	- else
		71	- strcpy(ipaddr_str, rec->gateway);
		72	+ strlcpy(ipaddr_str, rec->gateway, NI_MAXHOST);
		73	inet_pton(AF_INET, ipaddr_str, &ird->ipv4_gateway);
		74	}
		75	} else {
		76	--
		77	1.9.1
		78


diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0006-Skip-useless-strcopy-and-validate-CIDR-length.patch b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0006-Skip-useless-strcopy-and-validate-CIDR-length.patch new file mode 100644 index 0000000000..0fa24cd10d --- /dev/null +++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0006-Skip-useless-strcopy-and-validate-CIDR-length.patch
@@ -0,0 +1,44 @@
		1	From a6efed7601c890ac051ad1425582ec67dbd3f5ff Mon Sep 17 00:00:00 2001
		2	From: Lee Duncan <lduncan@suse.com>
		3	Date: Fri, 15 Dec 2017 11:18:35 -0800
		4	Subject: [PATCH 6/7] Skip useless strcopy, and validate CIDR length
		5
		6	Remove a useless strcpy() that copies a string onto itself,
		7	and ensure the CIDR length "keepbits" is not negative.
		8	Found by Qualsys.
		9
		10	CVE: CVE-2017-17840
		11
		12	Upstream-Status: Backport
		13
		14	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
		15	---
		16	iscsiuio/src/unix/iscsid_ipc.c \| 5 ++---
		17	1 file changed, 2 insertions(+), 3 deletions(-)
		18
		19	diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c
		20	index 52ae8c6..85742da 100644
		21	--- a/iscsiuio/src/unix/iscsid_ipc.c
		22	+++ b/iscsiuio/src/unix/iscsid_ipc.c
		23	@@ -148,7 +148,7 @@ static int decode_cidr(char in_ipaddr_str, struct iface_rec_decode ird)
		24	char tmp, tok;
		25	char ipaddr_str[NI_MAXHOST];
		26	char str[INET6_ADDRSTRLEN];
		27	- int keepbits = 0;
		28	+ unsigned long keepbits = 0;
		29	struct in_addr ia;
		30	struct in6_addr ia6;
		31
		32	@@ -161,8 +161,7 @@ static int decode_cidr(char in_ipaddr_str, struct iface_rec_decode ird)
		33	tmp = ipaddr_str;
		34	tok = strsep(&tmp, "/");
		35	LOG_INFO(PFX "in cidr: bitmask '%s' ip '%s'", tmp, tok);
		36	- keepbits = atoi(tmp);
		37	- strcpy(ipaddr_str, tok);
		38	+ keepbits = strtoull(tmp, NULL, 10);
		39	}
		40
		41	/* Determine if the IP address passed from the iface file is
		42	--
		43	1.9.1
		44


diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch new file mode 100644 index 0000000000..c63c0a8d56 --- /dev/null +++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch
@@ -0,0 +1,64 @@
		1	From 5df60ad8b22194391af34c1a7e54776b0372ffed Mon Sep 17 00:00:00 2001
		2	From: Lee Duncan <lduncan@suse.com>
		3	Date: Fri, 15 Dec 2017 11:21:15 -0800
		4	Subject: [PATCH 7/7] Check iscsiuio ping data length for validity
		5
		6	We do not trust that the received ping packet data length
		7	is correct, so sanity check it. Found by Qualsys.
		8
		9	CVE: CVE-2017-17840
		10
		11	Upstream-Status: Backport
		12
		13	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
		14	---
		15	iscsiuio/src/unix/iscsid_ipc.c \| 5 +++++
		16	iscsiuio/src/unix/packet.c \| 2 +-
		17	iscsiuio/src/unix/packet.h \| 2 ++
		18	3 files changed, 8 insertions(+), 1 deletion(-)
		19
		20	diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c
		21	index 85742da..a2caacc 100644
		22	--- a/iscsiuio/src/unix/iscsid_ipc.c
		23	+++ b/iscsiuio/src/unix/iscsid_ipc.c
		24	@@ -333,6 +333,11 @@ static void perform_ping(void arg)
		25
		26	data = (iscsid_uip_broadcast_t *)png_c->data;
		27	datalen = data->u.ping_rec.datalen;
		28	+ if ((datalen > STD_MTU_SIZE) \|\| (datalen < 0)) {
		29	+ LOG_ERR(PFX "Ping datalen invalid: %d", datalen);
		30	+ rc = -EINVAL;
		31	+ goto ping_done;
		32	+ }
		33
		34	memset(dst_addr, 0, sizeof(uip_ip6addr_t));
		35	if (nic_iface->protocol == AF_INET) {
		36	diff --git a/iscsiuio/src/unix/packet.c b/iscsiuio/src/unix/packet.c
		37	index ecea09b..3ce2c6b 100644
		38	--- a/iscsiuio/src/unix/packet.c
		39	+++ b/iscsiuio/src/unix/packet.c
		40	@@ -112,7 +112,7 @@ int alloc_free_queue(nic_t *nic, size_t num_of_packets)
		41	for (i = 0; i < num_of_packets; i++) {
		42	packet_t *pkt;
		43
		44	- pkt = alloc_packet(1500, 1500);
		45	+ pkt = alloc_packet(STD_MTU_SIZE, STD_MTU_SIZE);
		46	if (pkt == NULL) {
		47	goto done;
		48	}
		49	diff --git a/iscsiuio/src/unix/packet.h b/iscsiuio/src/unix/packet.h
		50	index b63d688..19d1db9 100644
		51	--- a/iscsiuio/src/unix/packet.h
		52	+++ b/iscsiuio/src/unix/packet.h
		53	@@ -43,6 +43,8 @@
		54
		55	#include "nic.h"
		56
		57	+#define STD_MTU_SIZE 1500
		58	+
		59	struct nic;
		60	struct nic_interface;
		61
		62	--
		63	1.9.1
		64


diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.0.874.bb b/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.0.874.bb index 95848d0b33..6c4a867b52 100644 --- a/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.0.874.bb +++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.0.874.bb
@@ -22,6 +22,13 @@ SRC_URI = "git://github.com/open-iscsi/open-iscsi \
22	file://iscsi-initiator.service \	22	file://iscsi-initiator.service \
23	file://iscsi-initiator-targets.service \	23	file://iscsi-initiator-targets.service \
24	file://set_initiatorname \	24	file://set_initiatorname \
		25	file://0001-Check-for-root-peer-user-for-iscsiuio-IPC.patch \
		26	file://0002-iscsiuio-should-ignore-bogus-iscsid-broadcast-packet.patch \
		27	file://0003-Ensure-all-fields-in-iscsiuio-IPC-response-are-set.patch \
		28	file://0004-Do-not-double-close-IPC-file-stream-to-iscsid.patch \
		29	file://0005-Ensure-strings-from-peer-are-copied-correctly.patch \
		30	file://0006-Skip-useless-strcopy-and-validate-CIDR-length.patch \
		31	file://0007-Check-iscsiuio-ping-data-length-for-validity.patch \
25	"	32	"
26		33
27	S = "${WORKDIR}/git"	34	S = "${WORKDIR}/git"