From nobody Wed Dec 29 00:50:07 2021 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 7B96A190AA4C; Wed, 29 Dec 2021 00:50:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JNt9C1nfmz4sLd; Wed, 29 Dec 2021 00:50:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1D55B1B825; Wed, 29 Dec 2021 00:50:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1BT0o7fr003809; Wed, 29 Dec 2021 00:50:07 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1BT0o78E003806; Wed, 29 Dec 2021 00:50:07 GMT (envelope-from git) Date: Wed, 29 Dec 2021 00:50:07 GMT Message-Id: <202112290050.1BT0o78E003806@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: John Baldwin Subject: git: c74ab5ce6f25 - main - iscsid: Always free the duplicated address in resolve_addr(). List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhb X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: c74ab5ce6f259afe1720a326df7e77848cf4f00b Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1640739007; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1qm32u3tU1qIciuRs2qZQQtkIr/GxTc56aF/rkYZqmE=; b=YVSjlk2IPD50D8lYuE69gKF2L28rboDP009r50QSqfNsFMa1yzZjfTZloR8+e//ssmV8NZ hAJAj0nMrmuAi3hRUYP52+ylQxvVRjlB+f3pUKvGI3Z4aBTAz/G9AQ9FxYTZCzUxmSaP1n fWTHViquDeYeEOz7IB5zZdQbCXpQaztKqLxZO4YlKv8MQRGAeQ9fxJASUdrmj4BwiNjYCj 0utZWd/yIOgJoEfDc0l4JtmdTIUXFf3LuhGUnI3W+cbhdUTXxPAAMCxJ75et17EitvHMH5 xyK898eZWQMrhYk54LQcQCLlWhnigzsKWpRHvzNIMoQDpMlCX9WcqHprvkfAug== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1640739007; a=rsa-sha256; cv=none; b=k+FWsraOYbXFBkXQDokXSDodLTvQQPcQJtgrUGskT7WsleGIWx3i+VBV6/zRD4vhJJWdZy V/JHt7gkobAvJSOtgNcRhqPr+2oqAwznqE59LQIQHsXHt12OIbb0pc34cjPvON2P7G7gI5 8+W3hJS0gLF7RjPguNKpkQfWn1mj+QcfmKXyHzH4mcnt4lKcI7cz6PUwAMsmVfy/2QeF+m jvyuGQb+PVn7FaXj8kzLm6SvzPwezLEz0KFj9A4nDoLFM+PmU/k569i9EJDZxNFAkekt1m zfcPPl0BKj75yCJx4TlRLXzenoleQUy2h0z3hP2P8B3zMcPLC8VZ8B+YHtAGbQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=c74ab5ce6f259afe1720a326df7e77848cf4f00b commit c74ab5ce6f259afe1720a326df7e77848cf4f00b Author: John Baldwin AuthorDate: 2021-12-29 00:40:04 +0000 Commit: John Baldwin CommitDate: 2021-12-29 00:49:46 +0000 iscsid: Always free the duplicated address in resolve_addr(). If a "raw" IPv6 address (denoted by a leading '[') is used as a target address, then 'arg' is incremented by one to skip over the '['. However, this meant that at the end of the function the wrong address was passed to free(). With malloc junking enabled and given suitably small strings, malloc() would happily overwrite the correct number of bytes with junk, but off by one byte overwriting the byte after the allocation. This manifested as the first byte of the 'HeaderDigest' key being overwritten causing the key name on the wire to be sent as '\x5eaderDigest' which the target rejected. Reported by: Jithesh Arakkan @ Chelsio Found with: ASAN (via WITH_ASAN=yes) Sponsored by: Chelsio Communications --- usr.sbin/iscsid/iscsid.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr.sbin/iscsid/iscsid.c b/usr.sbin/iscsid/iscsid.c index dc28a4f6f0cb..2689c4a2b455 100644 --- a/usr.sbin/iscsid/iscsid.c +++ b/usr.sbin/iscsid/iscsid.c @@ -150,11 +150,11 @@ resolve_addr(const struct connection *conn, const char *address, struct addrinfo **ai, bool initiator_side) { struct addrinfo hints; - char *arg, *addr, *ch; + char *arg, *addr, *ch, *tofree; const char *port; int error, colons = 0; - arg = checked_strdup(address); + tofree = arg = checked_strdup(address); if (arg[0] == '\0') { fail(conn, "empty address"); @@ -216,7 +216,7 @@ resolve_addr(const struct connection *conn, const char *address, address, gai_strerror(error)); } - free(addr); + free(tofree); } static struct iscsid_connection *