hw/block/nvme: fix ns attachment out-of-bounds read
nvme_ns_attachment() does not verify the contents of the host-supplied
16 bit "Number of Identifiers" field in the command payload.
Make sure the value is capped at 2047 and fix the out-of-bounds read.
Fixes: 645ce1a70c
("hw/block/nvme: support namespace attachment command")
Cc: Minwoo Im <minwoo.im.dev@gmail.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Minwoo Im <minwoo.im.dev@gmail.com>
This commit is contained in:
parent
102ce606fb
commit
8eb5c8069a
@ -4920,6 +4920,7 @@ static uint16_t nvme_ns_attachment(NvmeCtrl *n, NvmeRequest *req)
|
|||||||
return NVME_NS_CTRL_LIST_INVALID | NVME_DNR;
|
return NVME_NS_CTRL_LIST_INVALID | NVME_DNR;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
*nr_ids = MIN(*nr_ids, NVME_CONTROLLER_LIST_SIZE - 1);
|
||||||
for (i = 0; i < *nr_ids; i++) {
|
for (i = 0; i < *nr_ids; i++) {
|
||||||
ctrl = nvme_subsys_ctrl(n->subsys, ids[i]);
|
ctrl = nvme_subsys_ctrl(n->subsys, ids[i]);
|
||||||
if (!ctrl) {
|
if (!ctrl) {
|
||||||
|
Loading…
Reference in New Issue
Block a user