From owner-svn-src-all@FreeBSD.ORG  Sun Nov  9 13:30:03 2014
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 7231061B;
 Sun,  9 Nov 2014 13:30:03 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 53DDB9C8;
 Sun,  9 Nov 2014 13:30:03 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sA9DU3p8074526;
 Sun, 9 Nov 2014 13:30:03 GMT (envelope-from trasz@FreeBSD.org)
Received: (from trasz@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id sA9DU3b6074525;
 Sun, 9 Nov 2014 13:30:03 GMT (envelope-from trasz@FreeBSD.org)
Message-Id: <201411091330.sA9DU3b6074525@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: trasz set sender to
 trasz@FreeBSD.org using -f
From: Edward Tomasz Napierala <trasz@FreeBSD.org>
Date: Sun, 9 Nov 2014 13:30:03 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r274309 - head/usr.sbin/ctld
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Nov 2014 13:30:03 -0000

Author: trasz
Date: Sun Nov  9 13:30:02 2014
New Revision: 274309
URL: https://svnweb.freebsd.org/changeset/base/274309

Log:
  Fix several nits in redirection handling - don't use wrong CSG,
  and avoid use-after-free.
  
  MFC after:	1 month
  Sponsored by:	The FreeBSD Foundation

Modified:
  head/usr.sbin/ctld/login.c

Modified: head/usr.sbin/ctld/login.c
==============================================================================
--- head/usr.sbin/ctld/login.c	Sun Nov  9 13:01:09 2014	(r274308)
+++ head/usr.sbin/ctld/login.c	Sun Nov  9 13:30:02 2014	(r274309)
@@ -620,11 +620,10 @@ login_redirect(struct pdu *request, cons
 	struct keys *response_keys;
 
 	response = login_new_response(request);
+	login_set_csg(response, login_csg(request));
 	bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs;
 	bhslr2->bhslr_status_class = 0x01;
 	bhslr2->bhslr_status_detail = 0x01;
-	login_set_csg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION);
-	login_set_nsg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION);
 
 	response_keys = keys_new();
 	keys_add(response_keys, "TargetAddress", target_address);
@@ -679,7 +678,7 @@ login_negotiate(struct connection *conn,
 	struct iscsi_bhs_login_response *bhslr2;
 	struct keys *request_keys, *response_keys;
 	int i;
-	bool skipped_security;
+	bool redirected, skipped_security;
 
 	if (request == NULL) {
 		log_debugx("beginning operational parameter negotiation; "
@@ -689,6 +688,18 @@ login_negotiate(struct connection *conn,
 	} else
 		skipped_security = true;
 
+	/*
+	 * RFC 3720, 10.13.5.  Status-Class and Status-Detail, says
+	 * the redirection SHOULD be accepted by the initiator before
+	 * authentication, but MUST be be accepted afterwards; that's
+	 * why we're doing it here and not earlier.
+	 */
+	redirected = login_target_redirect(conn, request);
+	if (redirected) {
+		log_debugx("initiator redirected; exiting");
+		exit(0);
+	}
+
 	request_keys = keys_new();
 	keys_load(request_keys, request);
 
@@ -876,12 +887,6 @@ login(struct connection *conn)
 
 		keys_delete(request_keys);
 
-		redirected = login_target_redirect(conn, request);
-		if (redirected) {
-			log_debugx("initiator redirected; exiting");
-			exit(0);
-		}
-
 		log_debugx("initiator skipped the authentication, "
 		    "and we don't need it; proceeding with negotiation");
 		login_negotiate(conn, request);
@@ -893,12 +898,6 @@ login(struct connection *conn)
 		 * Initiator might want to to authenticate,
 		 * but we don't need it.
 		 */
-		redirected = login_target_redirect(conn, request);
-		if (redirected) {
-			log_debugx("initiator redirected; exiting");
-			exit(0);
-		}
-
 		log_debugx("authentication not required; "
 		    "transitioning to operational parameter negotiation");
 
@@ -987,17 +986,5 @@ login(struct connection *conn)
 
 	login_chap(conn, ag);
 
-	/*
-	 * RFC 3720, 10.13.5.  Status-Class and Status-Detail, says
-	 * the redirection SHOULD be accepted by the initiator before
-	 * authentication, but MUST be be accepted afterwards; that's
-	 * why we're doing it here and not earlier.
-	 */
-	redirected = login_target_redirect(conn, request);
-	if (redirected) {
-		log_debugx("initiator redirected; exiting");
-		exit(0);
-	}
-
 	login_negotiate(conn, NULL);
 }