[PATCH] nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec
Maurizio Lombardi
mlombard at arkamax.eu
Tue Mar 3 04:17:16 PST 2026
On Tue Mar 3, 2026 at 11:59 AM CET, Maurizio Lombardi wrote:
>
> In my opinion this is a valid concern.
> I suspect that it's really possible to create a malicious sequence
> that would make the target crash.
>
> I would change nvmet_tcp_build_pdu_iovec() to return an error
> code and its caller so they propagate it up to nvmet_tcp_done_recv_pdu()
Additionally, the current design leaves it somewhat ambiguous as to
which function should be responsible for calling nvmet_tcp_fatal_error().
In my opinion, this should be handled by the upper-layer function
nvmet_tcp_try_recv(), allowing the lower-level functions to simply
return an error code.
I submitted a patch to clean this up exactly one year ago,
but it has been forgotten and I only just remembered it.
https://lore.kernel.org/linux-nvme/20250305132642.1271523-1-mlombard@redhat.com/
I could prepare a patchset to fix all this stuff
Maurizio
More information about the Linux-nvme
mailing list