From: Christoph Hellwig <hch@lst.de>
Date: Fri, 17 Nov 2023 08:13:36 -0500
Subject: nvmet: nul-terminate the NQNs passed in the connect command
Patch-mainline: v6.7-rc3
Git-commit: 1c22e0295a5eb571c27b53c7371f95699ef705ff
References: bsc#1217250 CVE-2023-6121
The host and subsystem NQNs are passed in the connect command payload and
interpreted as nul-terminated strings. Ensure they actually are
nul-terminated before using them.
Fixes: a07b4970f464 "nvmet: add a generic NVMe target")
Reported-by: Alon Zahavi <zahavi.alon@gmail.com>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Acked-by: Daniel Wagner <dwagner@suse.de>
---
drivers/nvme/target/fabrics-cmd.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/nvme/target/fabrics-cmd.c
+++ b/drivers/nvme/target/fabrics-cmd.c
@@ -184,6 +184,8 @@ static void nvmet_execute_admin_connect(
goto out;
}
+ d->subsysnqn[NVMF_NQN_FIELD_LEN - 1] = '\0';
+ d->hostnqn[NVMF_NQN_FIELD_LEN - 1] = '\0';
status = nvmet_alloc_ctrl(d->subsysnqn, d->hostnqn, req,
le32_to_cpu(c->kato), &ctrl);
if (status) {
@@ -205,6 +207,8 @@ static void nvmet_execute_io_connect(str
goto out;
}
+ d->subsysnqn[NVMF_NQN_FIELD_LEN - 1] = '\0';
+ d->hostnqn[NVMF_NQN_FIELD_LEN - 1] = '\0';
status = nvmet_ctrl_find_get(d->subsysnqn, d->hostnqn,
le16_to_cpu(d->cntlid),
req, &ctrl);