[PATCH] nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu()
Keith Busch
kbusch at kernel.org
Fri Feb 28 09:59:53 PST 2025
On Wed, Feb 26, 2025 at 02:42:18PM +0100, Maurizio Lombardi wrote:
> nvme_tcp_recv_pdu() doesn't check the validity of the header length.
> When header digests are enabled, a target might send a packet with an
> invalid header length (e.g. 255), causing nvme_tcp_verify_hdgst()
> to access memory outside the allocated area and cause memory corruptions
> by overwriting it with the calculated digest.
>
> Fix this by rejecting packets with an unexpected header length.
>
> Fixes: 3f2304f8c6d6 ("nvme-tcp: add NVMe over TCP host driver")
>
> Signed-off-by: Maurizio Lombardi <mlombard at redhat.com>
Thanks, applied to nvme-6.14.
More information about the Linux-nvme
mailing list