From nobody Fri Apr 29 23:12:22 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 88F891ABC2E5; Fri, 29 Apr 2022 23:12:23 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KqpD70K2Yz3w4r; Fri, 29 Apr 2022 23:12:23 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1651273943; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=tpk03SUa2FyYzhrhwpTm/iel2dt2EAKM4sGs+e/NsIY=; b=DJMCYpzR58R24E+Wx0QoHmNvOAjkXg+10kVBONav5f1M2HX5uZ/CrRolklFsQtIaLDwlr/ chW6MEwBiF/ob3ZcoMLOsLhLuuAOs4C4qO/yeYpKJ4D36ZC4MqSRO70O1g8wPgjnjTkIr6 5wHE669NW7FreR8kjJA+rMi3KP7NAlbfJ3fJv18TTeAHoF6PCdDU+f2+/aDyQDPYeN72p4 FSp0e05QfHUynq2YX/Gak2nXlIOXE2CloGiTNzGQnV8UrFXrhjxbvF50SC+UiHI5osSDjm jed6x913DxSfPkqnXodhrJ2VWKa+HTZsC0L+wYGipsJY9dDhAFakwmes6Ox9Pw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D5F7715E3C; Fri, 29 Apr 2022 23:12:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 23TNCMQw044571; Fri, 29 Apr 2022 23:12:22 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 23TNCMMH044570; Fri, 29 Apr 2022 23:12:22 GMT (envelope-from git) Date: Fri, 29 Apr 2022 23:12:22 GMT Message-Id: <202204292312.23TNCMMH044570@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: John Baldwin Subject: git: 06a67a1f05a7 - stable/13 - iscsid: Always free the duplicated address in resolve_addr(). List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhb X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 06a67a1f05a7f52fbae21acd03d0a39147fb1d71 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1651273943; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=tpk03SUa2FyYzhrhwpTm/iel2dt2EAKM4sGs+e/NsIY=; b=MSnQ71tWLb1hAM+XvRHAyhxUXUUUbSw2dniibHQM+Lp5a6dzSyKnot5rXAz50qNKvojKsp FOkZAmPlsg0GzEfUuElbYAR7V7jlTAaRV16XnwyHpt7Vu87D3849OFvEl8Wh1bxd2xxEXI C1/ewmRLiNmZodzikiR3wJA2JNcS7AEuaq8LdbekK22Y8V2Uqe6Fb2hF1I6pQtAgulwy79 TcxxDlMnmtJ5XOsuQIf4+KjXT6lq3C9BoHoZjOkjK25AjSRRL4znXwzuhsDxCz4tO8knbs ID+y0yVKzvb0zNA9PyCj8PGFH6Wfvq1DUcHuZYokrD6sia4oLNYCNfdFIF4zXQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1651273943; a=rsa-sha256; cv=none; b=tBH4zxe0l5+bw+nhua7I8U1pQOoew47BjsLSb/AX+U1bVWIZDn39K25Fz9PLZi4lwaGZYA UX9zxViIt1+1SvrjOWNpwcwH5rAxnYbpfLKfQa9rHgY6BiWAidEC9JSOFDY7PrLpDRkuM/ OzIR1rH494BmqOdkNdlvfDXqj1ZpA05UW8hn1ahdZPX0IOD/y/WfEYZKz3Pbg0x0fEfi/n MKlCEUtZFrjkoRrZ5w30rFiVNbupfK7zPHj/0p8MzpFta/9pXnlHf7q3GJTtZ6vhOoL0+v 8n6Mi+lMJlHum2w7r7L3gSp4L3A/ZIWSH4odbNZ4LWi240d9sH+/w7gNI/ewOQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=06a67a1f05a7f52fbae21acd03d0a39147fb1d71 commit 06a67a1f05a7f52fbae21acd03d0a39147fb1d71 Author: John Baldwin AuthorDate: 2021-12-29 00:40:04 +0000 Commit: John Baldwin CommitDate: 2022-04-29 21:17:30 +0000 iscsid: Always free the duplicated address in resolve_addr(). If a "raw" IPv6 address (denoted by a leading '[') is used as a target address, then 'arg' is incremented by one to skip over the '['. However, this meant that at the end of the function the wrong address was passed to free(). With malloc junking enabled and given suitably small strings, malloc() would happily overwrite the correct number of bytes with junk, but off by one byte overwriting the byte after the allocation. This manifested as the first byte of the 'HeaderDigest' key being overwritten causing the key name on the wire to be sent as '\x5eaderDigest' which the target rejected. Reported by: Jithesh Arakkan @ Chelsio Found with: ASAN (via WITH_ASAN=yes) Sponsored by: Chelsio Communications (cherry picked from commit c74ab5ce6f259afe1720a326df7e77848cf4f00b) --- usr.sbin/iscsid/iscsid.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr.sbin/iscsid/iscsid.c b/usr.sbin/iscsid/iscsid.c index dc28a4f6f0cb..2689c4a2b455 100644 --- a/usr.sbin/iscsid/iscsid.c +++ b/usr.sbin/iscsid/iscsid.c @@ -150,11 +150,11 @@ resolve_addr(const struct connection *conn, const char *address, struct addrinfo **ai, bool initiator_side) { struct addrinfo hints; - char *arg, *addr, *ch; + char *arg, *addr, *ch, *tofree; const char *port; int error, colons = 0; - arg = checked_strdup(address); + tofree = arg = checked_strdup(address); if (arg[0] == '\0') { fail(conn, "empty address"); @@ -216,7 +216,7 @@ resolve_addr(const struct connection *conn, const char *address, address, gai_strerror(error)); } - free(addr); + free(tofree); } static struct iscsid_connection *