nvmf: Check buffer array overflow in spdk_nvmf_request_get_buffers() (22cd4fe2) · Commits · Public Repositories / spdk

lib/nvmf/rdma.c

+4 −8

Original line number	Diff line number	Diff line
		@@ -1754,15 +1754,11 @@ nvmf_rdma_request_fill_iovs_multi_sgl(struct spdk_nvmf_rdma_transport *rtranspor
		num_buffers += SPDK_CEIL_DIV(desc->keyed.length, rtransport->transport.opts.io_unit_size);
		desc++;
		}
		/* If the number of buffers is too large, then we know the I/O is larger than allowed. Fail it. */
		if (num_buffers > NVMF_REQ_MAX_BUFFERS) {
		nvmf_rdma_request_free_data(rdma_req, rtransport);
		return -EINVAL;
		}
		if (spdk_nvmf_request_get_buffers(req, &rgroup->group, &rtransport->transport,
		num_buffers) != 0) {
		rc = spdk_nvmf_request_get_buffers(req, &rgroup->group, &rtransport->transport,
		num_buffers);
		if (rc != 0) {
		nvmf_rdma_request_free_data(rdma_req, rtransport);
		return -ENOMEM;
		return rc;
		}

		/* The first WR must always be the embedded data WR. This is how we unwind them later. */

+7 −0

Original line number	Diff line number	Diff line
		@@ -397,6 +397,13 @@ spdk_nvmf_request_get_buffers(struct spdk_nvmf_request *req,
		{
		uint32_t i = 0;

		/* If the number of buffers is too large, then we know the I/O is larger than allowed.
		* Fail it.
		*/
		if (num_buffers + req->num_buffers > NVMF_REQ_MAX_BUFFERS) {
		return -EINVAL;
		}

		while (i < num_buffers) {
		if (!(STAILQ_EMPTY(&group->buf_cache))) {
		group->buf_cache_count--;

+7 −0

Original line number	Diff line number	Diff line
		@@ -111,6 +111,13 @@ spdk_nvmf_request_get_buffers(struct spdk_nvmf_request *req,
		{
		uint32_t i = 0;

		/* If the number of buffers is too large, then we know the I/O is larger than allowed.
		* Fail it.
		*/
		if (num_buffers + req->num_buffers > NVMF_REQ_MAX_BUFFERS) {
		return -EINVAL;
		}

		while (i < num_buffers) {
		if (!(STAILQ_EMPTY(&group->buf_cache))) {
		group->buf_cache_count--;