Commit 80dcb258 authored by Seth Howell's avatar Seth Howell Committed by Tomasz Zawadzki
Browse files

lib/bdev_nvme: fix attach_controller RPC. 



This RPC was using snprintf which could potentially
truncate a bad argument silently without alerting the
caller.

Signed-off-by: default avatarSeth Howell <seth.howell@intel.com>
Change-Id: I1795b2e4086cbaa45390bd11b189755818b5c9e7
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/3613


Community-CI: Mellanox Build Bot
Tested-by: default avatarSPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: default avatarAleksey Marchuk <alexeymar@mellanox.com>
Reviewed-by: default avatarJim Harris <james.r.harris@intel.com>
Reviewed-by: default avatarBen Walker <benjamin.walker@intel.com>
parent 65945c02

module/bdev/nvme/bdev_nvme_rpc.c

+41 −5
Original line number Diff line number Diff line
@@ -258,6 +258,7 @@ rpc_bdev_nvme_attach_controller(struct spdk_jsonrpc_request *request, 
	struct spdk_nvme_host_id hostid = {};

	uint32_t prchk_flags = 0;

	struct nvme_bdev_ctrlr *ctrlr = NULL;

	size_t len, maxlen;

	int rc;



	ctx = calloc(1, sizeof(*ctx));
@@ -291,7 +292,14 @@ rpc_bdev_nvme_attach_controller(struct spdk_jsonrpc_request *request, 
	ctrlr = nvme_bdev_ctrlr_get_by_name(ctx->req.name);



	/* Parse traddr */

	snprintf(trid.traddr, sizeof(trid.traddr), "%s", ctx->req.traddr);

	maxlen = sizeof(trid.traddr);

	len = strnlen(ctx->req.traddr, maxlen);

	if (len == maxlen) {

		spdk_jsonrpc_send_error_response_fmt(request, -EINVAL, "traddr too long: %s",

						     ctx->req.traddr);

		goto cleanup;

	}

	memcpy(trid.traddr, ctx->req.traddr, len + 1);



	/* Parse adrfam */

	if (ctx->req.adrfam) {
@@ -306,7 +314,14 @@ rpc_bdev_nvme_attach_controller(struct spdk_jsonrpc_request *request, 


	/* Parse trsvcid */

	if (ctx->req.trsvcid) {

		snprintf(trid.trsvcid, sizeof(trid.trsvcid), "%s", ctx->req.trsvcid);

		maxlen = sizeof(trid.trsvcid);

		len = strnlen(ctx->req.trsvcid, maxlen);

		if (len == maxlen) {

			spdk_jsonrpc_send_error_response_fmt(request, -EINVAL, "trsvcid too long: %s",

							     ctx->req.trsvcid);

			goto cleanup;

		}

		memcpy(trid.trsvcid, ctx->req.trsvcid, len + 1);

	}



	/* Parse priority for the NVMe-oF transport connection */
@@ -316,7 +331,14 @@ rpc_bdev_nvme_attach_controller(struct spdk_jsonrpc_request *request, 


	/* Parse subnqn */

	if (ctx->req.subnqn) {

		snprintf(trid.subnqn, sizeof(trid.subnqn), "%s", ctx->req.subnqn);

		maxlen = sizeof(trid.subnqn);

		len = strnlen(ctx->req.subnqn, maxlen);

		if (len == maxlen) {

			spdk_jsonrpc_send_error_response_fmt(request, -EINVAL, "subnqn too long: %s",

							     ctx->req.subnqn);

			goto cleanup;

		}

		memcpy(trid.subnqn, ctx->req.subnqn, len + 1);

	}



	if (ctrlr && (ctx->req.hostaddr || ctx->req.hostnqn || ctx->req.hostsvcid || ctx->req.prchk_guard ||
@@ -325,11 +347,25 @@ rpc_bdev_nvme_attach_controller(struct spdk_jsonrpc_request *request, 
	}



	if (ctx->req.hostaddr) {

		snprintf(hostid.hostaddr, sizeof(hostid.hostaddr), "%s", ctx->req.hostaddr);

		maxlen = sizeof(hostid.hostaddr);

		len = strnlen(ctx->req.hostaddr, maxlen);

		if (len == maxlen) {

			spdk_jsonrpc_send_error_response_fmt(request, -EINVAL, "hostaddr too long: %s",

							     ctx->req.hostaddr);

			goto cleanup;

		}

		memcpy(hostid.hostaddr, ctx->req.hostaddr, len + 1);

	}



	if (ctx->req.hostsvcid) {

		snprintf(hostid.hostsvcid, sizeof(hostid.hostsvcid), "%s", ctx->req.hostsvcid);

		maxlen = sizeof(hostid.hostsvcid);

		len = strnlen(ctx->req.hostsvcid, maxlen);

		if (len == maxlen) {

			spdk_jsonrpc_send_error_response_fmt(request, -EINVAL, "hostsvcid too long: %s",

							     ctx->req.hostsvcid);

			goto cleanup;

		}

		memcpy(hostid.hostsvcid, ctx->req.hostsvcid, len + 1);

	}



	if (ctx->req.prchk_reftag) {