From: Christoph Hellwig <hch@lst.de>
Date: Fri, 17 Nov 2023 08:13:36 -0500
Subject: nvmet: nul-terminate the NQNs passed in the connect command
Patch-mainline: v6.7-rc3
Git-commit: 1c22e0295a5eb571c27b53c7371f95699ef705ff
References: bsc#1217250 CVE-2023-6121

The host and subsystem NQNs are passed in the connect command payload and
interpreted as nul-terminated strings.  Ensure they actually are
nul-terminated before using them.

Fixes: a07b4970f464 "nvmet: add a generic NVMe target")
Reported-by: Alon Zahavi <zahavi.alon@gmail.com>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Acked-by: Daniel Wagner <dwagner@suse.de>
---
 drivers/nvme/target/fabrics-cmd.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/nvme/target/fabrics-cmd.c
+++ b/drivers/nvme/target/fabrics-cmd.c
@@ -184,6 +184,8 @@ static void nvmet_execute_admin_connect(
 		goto out;
 	}
 
+	d->subsysnqn[NVMF_NQN_FIELD_LEN - 1] = '\0';
+	d->hostnqn[NVMF_NQN_FIELD_LEN - 1] = '\0';
 	status = nvmet_alloc_ctrl(d->subsysnqn, d->hostnqn, req,
 				  le32_to_cpu(c->kato), &ctrl);
 	if (status) {
@@ -205,6 +207,8 @@ static void nvmet_execute_io_connect(str
 		goto out;
 	}
 
+	d->subsysnqn[NVMF_NQN_FIELD_LEN - 1] = '\0';
+	d->hostnqn[NVMF_NQN_FIELD_LEN - 1] = '\0';
 	status = nvmet_ctrl_find_get(d->subsysnqn, d->hostnqn,
 				     le16_to_cpu(d->cntlid),
 				     req, &ctrl);