Commit d23b262c authored Jan 10, 2024 by Christoph Hellwig Committed by Cheng Yu Jan 10, 2024

nvmet: nul-terminate the NQNs passed in the connect command

mainline inclusion
from mainline-v6.7-rc3
commit 1c22e0295a5eb571c27b53c7371f95699ef705ff
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8H4UJ
CVE: CVE-2023-6121

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1c22e0295a5eb571c27b53c7371f95699ef705ff



--------------------------------

The host and subsystem NQNs are passed in the connect command payload and
interpreted as nul-terminated strings.  Ensure they actually are
nul-terminated before using them.

Fixes: a07b4970 "nvmet: add a generic NVMe target")
Reported-by: Alon Zahavi <zahavi.alon@gmail.com>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Cheng Yu <serein.chengyu@huawei.com>

parent af276270

drivers/nvme/target/fabrics-cmd.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -189,6 +189,8 @@ static void nvmet_execute_admin_connect(struct nvmet_req *req)
		goto out;
		}

		d->subsysnqn[NVMF_NQN_FIELD_LEN - 1] = '\0';
		d->hostnqn[NVMF_NQN_FIELD_LEN - 1] = '\0';
		status = nvmet_alloc_ctrl(d->subsysnqn, d->hostnqn, req,
		le32_to_cpu(c->kato), &ctrl);
		if (status) {
		@@ -250,6 +252,8 @@ static void nvmet_execute_io_connect(struct nvmet_req *req)
		goto out;
		}

		d->subsysnqn[NVMF_NQN_FIELD_LEN - 1] = '\0';
		d->hostnqn[NVMF_NQN_FIELD_LEN - 1] = '\0';
		status = nvmet_ctrl_find_get(d->subsysnqn, d->hostnqn,
		le16_to_cpu(d->cntlid),
		req, &ctrl);