Commit 5d5181db authored Oct 10, 2018 by wuzhouhui Committed by Changpeng Liu Oct 11, 2018

nvme/rdma: fix a stack-buffer-overflow error

spdk_mem_map_translate() dereference a uint64_t * to get a
8-bytes long integer, but nvme_rdma_build_sgl_request() just passes
a 4-bytes long integer as last parameter, this causes a
stack-buffer-overflow error.

Reported in https://ci.spdk.io/spdk/builds/review/3ba5ea908781fc5ad311d81bae0b7022ad7b5c51.1539172863/fedora-05/build.log



Change-Id: Id1cda22114fef466dbb930b502e3a68310331f0e
Signed-off-by: wuzhouhui <wuzhouhui@kingsoft.com>
Reviewed-on: https://review.gerrithub.io/428693


Chandler-Test-Pool: SPDK Automated Test System <sys_sgsw@intel.com>
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: Ben Walker <benjamin.walker@intel.com>
Reviewed-by: Changpeng Liu <changpeng.liu@intel.com>

parent 5616c1ed

lib/nvme/nvme_rdma.c

+3 −3

Original line number	Diff line number	Diff line
		@@ -929,8 +929,8 @@ nvme_rdma_build_sgl_request(struct nvme_rdma_qpair *rqpair,
		struct spdk_nvmf_cmd *cmd = &rqpair->cmds[rdma_req->id];
		struct ibv_mr *mr = NULL;
		void *virt_addr;
		uint64_t remaining_size;
		uint32_t sge_length, mr_length;
		uint64_t remaining_size, mr_length;
		uint32_t sge_length;
		int rc, max_num_sgl, num_sgl_desc;

		assert(req->payload_size != 0);
		@@ -953,7 +953,7 @@ nvme_rdma_build_sgl_request(struct nvme_rdma_qpair *rqpair,
		mr_length = sge_length;

		mr = (struct ibv_mr *)spdk_mem_map_translate(rqpair->mr_map->map, (uint64_t)virt_addr,
		(uint64_t *)&mr_length);
		&mr_length);

		if (mr == NULL \|\| mr_length < sge_length) {
		return -1;