diff options
| author | Klaus Jensen <k.jensen@samsung.com> | 2021-04-07 06:54:34 +0200 |
|---|---|---|
| committer | Klaus Jensen <k.jensen@samsung.com> | 2021-04-07 10:48:32 +0200 |
| commit | 8eb5c8069a5ccb8dadf35765b6f9cca10fb98b84 (patch) | |
| tree | b4dad370abf0c6231bfbffa480c00364cef2b2ac /hw/block | |
| parent | 102ce606fbfa72ce0f22d0320ae9bb8068091dde (diff) | |
| download | qemu-8eb5c8069a5ccb8dadf35765b6f9cca10fb98b84.zip qemu-8eb5c8069a5ccb8dadf35765b6f9cca10fb98b84.tar.gz qemu-8eb5c8069a5ccb8dadf35765b6f9cca10fb98b84.tar.bz2 | |
hw/block/nvme: fix ns attachment out-of-bounds read
nvme_ns_attachment() does not verify the contents of the host-supplied
16 bit "Number of Identifiers" field in the command payload.
Make sure the value is capped at 2047 and fix the out-of-bounds read.
Fixes: 645ce1a70cb6 ("hw/block/nvme: support namespace attachment command")
Cc: Minwoo Im <minwoo.im.dev@gmail.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Minwoo Im <minwoo.im.dev@gmail.com>
Diffstat (limited to 'hw/block')
| -rw-r--r-- | hw/block/nvme.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/hw/block/nvme.c b/hw/block/nvme.c index 82b3d45..6b1f056 100644 --- a/hw/block/nvme.c +++ b/hw/block/nvme.c @@ -4920,6 +4920,7 @@ static uint16_t nvme_ns_attachment(NvmeCtrl *n, NvmeRequest *req) return NVME_NS_CTRL_LIST_INVALID | NVME_DNR; } + *nr_ids = MIN(*nr_ids, NVME_CONTROLLER_LIST_SIZE - 1); for (i = 0; i < *nr_ids; i++) { ctrl = nvme_subsys_ctrl(n->subsys, ids[i]); if (!ctrl) { |