[PATCH] nvmet-auth: zero the AUTH_RECEIVE response buffer
Keith Busch
kbusch at kernel.org
Mon Jul 6 11:57:54 PDT 2026
On Thu, Jul 02, 2026 at 03:45:14AM -0500, Bryam Vargas via B4 Relay wrote:
> From: Bryam Vargas <hexlabsecurity at proton.me>
>
> nvmet_execute_auth_receive() allocates the response buffer with kmalloc()
> sized by the host-supplied AUTH_RECEIVE allocation length, but the
> DH-HMAC-CHAP builders write only a fixed-size message into it. The full
> allocation length is then copied to the wire by nvmet_copy_to_sgl(), so a
> remote initiator receives the bytes past the built message -- up to nearly
> a page of uninitialized slab -- during the pre-authentication handshake.
>
> Allocate the buffer with kzalloc() so the unwritten tail is zeroed before
> it is sent; conforming responses are unaffected.
Thanks, applied to nvme-7.3.
More information about the Linux-nvme
mailing list