From: Claudio Jeker Subject: iscsid: be more careful handling ISCSI_SCSI_STAT_CHCK_COND To: tech@openbsd.org Date: Wed, 20 May 2026 20:27:10 +0200 In the vscsi_callback() handle ISCSI_SCSI_STAT_CHCK_COND more carefully. Especially the embedded sense data needs to be extracted respecting the real buffer length. Make sure at least 2 bytes are availabe for the lenght and also check that the resulting len is not bigger then the buffer itself. Also in vscsi_status() check if len > 0 instead of looking at buf. This is for the case where buf is set but len is 0. -- :wq Claudio Index: vscsi.c =================================================================== RCS file: /cvs/src/usr.sbin/iscsid/vscsi.c,v diff -u -p -r1.18 vscsi.c --- vscsi.c 28 Dec 2022 21:30:16 -0000 1.18 +++ vscsi.c 20 May 2026 18:22:01 -0000 @@ -177,7 +177,7 @@ vscsi_status(int tag, int status, void * bzero(&t2i, sizeof(t2i)); t2i.tag = tag; t2i.status = status; - if (buf) { + if (len > 0) { if (len > sizeof(t2i.sense)) len = sizeof(t2i.sense); memcpy(&t2i.sense, buf, len); @@ -241,9 +241,12 @@ vscsi_callback(struct connection *c, voi status = VSCSI_STAT_SENSE; /* stupid encoding of sense data in the data segment */ buf = pdu_getbuf(p, &n, PDU_DATA); - if (buf) { + if (buf && n >= 2) { size = buf[0] << 8 | buf[1]; buf += 2; + n -= 2; + if (size > n) + size = n; } break; default: