!5788 v2 Patches to Fix CVE-2023-52454 (d8860d3a) · Commits · EulixOS / Software / Kernel

drivers/nvme/target/tcp.c

+16 −1

Original line number	Diff line number	Diff line
		@@ -18,6 +18,7 @@
		#include "nvmet.h"

		#define NVMET_TCP_DEF_INLINE_DATA_SIZE (4 * PAGE_SIZE)
		#define NVMET_TCP_MAXH2CDATA 0x400000 /* 16M arbitrary limit */

		/* Define the socket priority to use for connections were it is desirable
		* that the NIC consider performing optimized packet processing or filtering.
		@@ -872,7 +873,7 @@ static int nvmet_tcp_handle_icreq(struct nvmet_tcp_queue *queue)
		icresp->hdr.pdo = 0;
		icresp->hdr.plen = cpu_to_le32(icresp->hdr.hlen);
		icresp->pfv = cpu_to_le16(NVME_TCP_PFV_1_0);
		icresp->maxdata = cpu_to_le32(0x400000); /* 16M arbitrary limit */
		icresp->maxdata = cpu_to_le32(NVMET_TCP_MAXH2CDATA);
		icresp->cpda = 0;
		if (queue->hdr_digest)
		icresp->digest \|= NVME_TCP_HDR_DIGEST_ENABLE;
		@@ -918,6 +919,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
		{
		struct nvme_tcp_data_pdu *data = &queue->pdu.data;
		struct nvmet_tcp_cmd *cmd;
		unsigned int exp_data_len;

		if (likely(queue->nr_cmds)) {
		if (unlikely(data->ttag >= queue->nr_cmds)) {
		@@ -941,7 +943,20 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
		return -EPROTO;
		}

		exp_data_len = le32_to_cpu(data->hdr.plen) -
		nvmet_tcp_hdgst_len(queue) -
		nvmet_tcp_ddgst_len(queue) -
		sizeof(*data);

		cmd->pdu_len = le32_to_cpu(data->data_length);
		if (unlikely(cmd->pdu_len != exp_data_len \|\|
		cmd->pdu_len == 0 \|\|
		cmd->pdu_len > NVMET_TCP_MAXH2CDATA)) {
		pr_err("H2CData PDU len %u is invalid\n", cmd->pdu_len);
		/* FIXME: use proper transport errors */
		nvmet_tcp_fatal_error(queue);
		return -EPROTO;
		}
		cmd->pdu_recv = 0;
		nvmet_tcp_map_pdu_iovec(cmd);
		queue->cmd = cmd;