1 files changed, 64 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch
new file mode 100644
index 0000000000..c63c0a8d56
--- /dev/null
+++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch
@@ -0,0 +1,64 @@
+From 5df60ad8b22194391af34c1a7e54776b0372ffed Mon Sep 17 00:00:00 2001
+From: Lee Duncan <lduncan@suse.com>
+Date: Fri, 15 Dec 2017 11:21:15 -0800
+Subject: [PATCH 7/7] Check iscsiuio ping data length for validity
+We do not trust that the received ping packet data length
+is correct, so sanity check it. Found by Qualsys.
+CVE: CVE-2017-17840
+Upstream-Status: Backport
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ iscsiuio/src/unix/iscsid_ipc.c | 5 +++++
+ iscsiuio/src/unix/packet.c     | 2 +-
+ iscsiuio/src/unix/packet.h     | 2 ++
+ 3 files changed, 8 insertions(+), 1 deletion(-)
+diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c
+index 85742da..a2caacc 100644
+--- a/iscsiuio/src/unix/iscsid_ipc.c
+++ b/iscsiuio/src/unix/iscsid_ipc.c
+@@ -333,6 +333,11 @@ static void *perform_ping(void *arg)
+ 
+        data = (iscsid_uip_broadcast_t *)png_c->data;
+        datalen = data->u.ping_rec.datalen;
+       if ((datalen > STD_MTU_SIZE) || (datalen < 0)) {
+               LOG_ERR(PFX "Ping datalen invalid: %d", datalen);
+               rc = -EINVAL;
+               goto ping_done;
+       }
+ 
+        memset(dst_addr, 0, sizeof(uip_ip6addr_t));
+        if (nic_iface->protocol == AF_INET) {
+diff --git a/iscsiuio/src/unix/packet.c b/iscsiuio/src/unix/packet.c
+index ecea09b..3ce2c6b 100644
+--- a/iscsiuio/src/unix/packet.c
+++ b/iscsiuio/src/unix/packet.c
+@@ -112,7 +112,7 @@ int alloc_free_queue(nic_t *nic, size_t num_of_packets)
+        for (i = 0; i < num_of_packets; i++) {
+                packet_t *pkt;
+ 
+-               pkt = alloc_packet(1500, 1500);
+               pkt = alloc_packet(STD_MTU_SIZE, STD_MTU_SIZE);
+                if (pkt == NULL) {
+                        goto done;
+                }
+diff --git a/iscsiuio/src/unix/packet.h b/iscsiuio/src/unix/packet.h
+index b63d688..19d1db9 100644
+--- a/iscsiuio/src/unix/packet.h
+++ b/iscsiuio/src/unix/packet.h
+@@ -43,6 +43,8 @@
+ 
+ #include "nic.h"
+ 
+#define        STD_MTU_SIZE    1500
+
+ struct nic;
+ struct nic_interface;
+ 
+-- 
+1.9.1

diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch new file mode 100644 index 0000000000..c63c0a8d56 --- /dev/null +++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch
@@ -0,0 +1,64 @@
	1	From 5df60ad8b22194391af34c1a7e54776b0372ffed Mon Sep 17 00:00:00 2001
	2	From: Lee Duncan <lduncan@suse.com>
	3	Date: Fri, 15 Dec 2017 11:21:15 -0800
	4	Subject: [PATCH 7/7] Check iscsiuio ping data length for validity
	5
	6	We do not trust that the received ping packet data length
	7	is correct, so sanity check it. Found by Qualsys.
	8
	9	CVE: CVE-2017-17840
	10
	11	Upstream-Status: Backport
	12
	13	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
	14	---
	15	iscsiuio/src/unix/iscsid_ipc.c \| 5 +++++
	16	iscsiuio/src/unix/packet.c \| 2 +-
	17	iscsiuio/src/unix/packet.h \| 2 ++
	18	3 files changed, 8 insertions(+), 1 deletion(-)
	19
	20	diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c
	21	index 85742da..a2caacc 100644
	22	--- a/iscsiuio/src/unix/iscsid_ipc.c
	23	+++ b/iscsiuio/src/unix/iscsid_ipc.c
	24	@@ -333,6 +333,11 @@ static void perform_ping(void arg)
	25
	26	data = (iscsid_uip_broadcast_t *)png_c->data;
	27	datalen = data->u.ping_rec.datalen;
	28	+ if ((datalen > STD_MTU_SIZE) \|\| (datalen < 0)) {
	29	+ LOG_ERR(PFX "Ping datalen invalid: %d", datalen);
	30	+ rc = -EINVAL;
	31	+ goto ping_done;
	32	+ }
	33
	34	memset(dst_addr, 0, sizeof(uip_ip6addr_t));
	35	if (nic_iface->protocol == AF_INET) {
	36	diff --git a/iscsiuio/src/unix/packet.c b/iscsiuio/src/unix/packet.c
	37	index ecea09b..3ce2c6b 100644
	38	--- a/iscsiuio/src/unix/packet.c
	39	+++ b/iscsiuio/src/unix/packet.c
	40	@@ -112,7 +112,7 @@ int alloc_free_queue(nic_t *nic, size_t num_of_packets)
	41	for (i = 0; i < num_of_packets; i++) {
	42	packet_t *pkt;
	43
	44	- pkt = alloc_packet(1500, 1500);
	45	+ pkt = alloc_packet(STD_MTU_SIZE, STD_MTU_SIZE);
	46	if (pkt == NULL) {
	47	goto done;
	48	}
	49	diff --git a/iscsiuio/src/unix/packet.h b/iscsiuio/src/unix/packet.h
	50	index b63d688..19d1db9 100644
	51	--- a/iscsiuio/src/unix/packet.h
	52	+++ b/iscsiuio/src/unix/packet.h
	53	@@ -43,6 +43,8 @@
	54
	55	#include "nic.h"
	56
	57	+#define STD_MTU_SIZE 1500
	58	+
	59	struct nic;
	60	struct nic_interface;
	61
	62	--
	63	1.9.1
	64