• Nicholas Bellinger's avatar
    iscsi-target: Reject immediate data underflow larger than SCSI transfer length · 33ae1314
    Nicholas Bellinger authored
    BugLink: http://bugs.launchpad.net/bugs/1702118
    
    commit abb85a9b upstream.
    
    When iscsi WRITE underflow occurs there are two different scenarios
    that can happen.
    
    Normally in practice, when an EDTL vs. SCSI CDB TRANSFER LENGTH
    underflow is detected, the iscsi immediate data payload is the
    smaller SCSI CDB TRANSFER LENGTH.
    
    That is, when a host fabric LLD is using a fixed size EDTL for
    a specific control CDB, the SCSI CDB TRANSFER LENGTH and actual
    SCSI payload ends up being smaller than EDTL.  In iscsi, this
    means the received iscsi immediate data payload matches the
    smaller SCSI CDB TRANSFER LENGTH, because there is no more
    SCSI payload to accept beyond SCSI CDB TRANSFER LENGTH.
    
    However, it's possible for a malicous host to send a WRITE
    underflow where EDTL is larger than SCSI CDB TRANSFER LENGTH,
    but incoming iscsi immediate data actually matches EDTL.
    
    In the wild, we've never had a iscsi host environment actually
    try to do this.
    
    For this special case, it's wrong to truncate part of the
    control CDB payload and continue to process the command during
    underflow when immediate data payload received was larger than
    SCSI CDB TRANSFER LENGTH, so go ahead and reject and drop the
    bogus payload as a defensive action.
    
    Note this potential bug was originally relaxed by the following
    for allowing WRITE underflow in MSFT FCP host environments:
    
       commit c72c5250
       Author: Roland Dreier <roland@purestorage.com>
       Date:   Wed Jul 22 15:08:18 2015 -0700
    
          target: allow underflow/overflow for PR OUT etc. commands
    
    Cc: Roland Dreier <roland@purestorage.com>
    Cc: Mike Christie <mchristi@redhat.com>
    Cc: Hannes Reinecke <hare@suse.de>
    Cc: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
    Signed-off-by: default avatarThadeu Lima de Souza Cascardo <cascardo@canonical.com>
    33ae1314
iscsi_target.c 131 KB