Commit be59f5d5 authored by Sebastian Brzezinka's avatar Sebastian Brzezinka Committed by Jim Harris
Browse files

nvmf/vfio_user: add numdw to avoide signed integer overflow 



This patch fix issue: #2835

Signed-off-by: default avatarSebastian Brzezinka <sebastian.brzezinka@intel.com>
Change-Id: Ide49314c39a17e1da78303e59dde5855a0ee38a0
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/16029


Tested-by: default avatarSPDK CI Jenkins <sys_sgci@intel.com>
Community-CI: Mellanox Build Bot
Reviewed-by: default avatarChangpeng Liu <changpeng.liu@intel.com>
Reviewed-by: default avatarJim Harris <james.r.harris@intel.com>
parent 958d4e0e

lib/nvmf/vfio_user.c

+6 −2
Original line number Diff line number Diff line
@@ -5350,7 +5350,7 @@ static int 
map_admin_cmd_req(struct nvmf_vfio_user_ctrlr *ctrlr, struct spdk_nvmf_request *req)

{

	struct spdk_nvme_cmd *cmd = &req->cmd->nvme_cmd;

	uint32_t len = 0;

	uint32_t len = 0, numdw = 0;

	uint8_t fid;

	int iovcnt;
@@ -5367,7 +5367,11 @@ map_admin_cmd_req(struct nvmf_vfio_user_ctrlr *ctrlr, struct spdk_nvmf_request * 
		len = 4096;

		break;

	case SPDK_NVME_OPC_GET_LOG_PAGE:

		len = (((cmd->cdw11_bits.get_log_page.numdu << 16) | cmd->cdw10_bits.get_log_page.numdl) + 1) * 4;

		numdw = (((cmd->cdw11_bits.get_log_page.numdu << 16) | cmd->cdw10_bits.get_log_page.numdl) + 1);

		if (numdw > UINT32_MAX / 4) {

			return -EINVAL;

		}

		len = numdw * 4;

		break;

	case SPDK_NVME_OPC_GET_FEATURES:

	case SPDK_NVME_OPC_SET_FEATURES: