Skip to content
Snippets Groups Projects
Commit ad95bab0 authored by Maurizio Lombardi's avatar Maurizio Lombardi Committed by Keith Busch
Browse files

nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu() 


nvme_tcp_recv_pdu() doesn't check the validity of the header length.
When header digests are enabled, a target might send a packet with an
invalid header length (e.g. 255), causing nvme_tcp_verify_hdgst()
to access memory outside the allocated area and cause memory corruptions
by overwriting it with the calculated digest.

Fix this by rejecting packets with an unexpected header length.

Fixes: 3f2304f8 ("nvme-tcp: add NVMe over TCP host driver")
Signed-off-by: default avatarMaurizio Lombardi <mlombard@redhat.com>
Reviewed-by: default avatarSagi Grimberg <sagi@grimberg.me>
Signed-off-by: default avatarKeith Busch <kbusch@kernel.org>
parent afb41b08
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 29 additions and 3 deletions
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment