[PATCH v2] nvmet-auth: validate negotiate payload length(BUG: KASAN: slab-out-of-bounds)
yunje shin
yjshin0438 at gmail.com
Thu Mar 12 23:11:49 PDT 2026
On Wed, Mar 11, 2026 at 5:47 AM Chris Leech <cleech at redhat.com> wrote:
> Maybe this could have been struct_size(neg, auth_protocol, neg->napd)?
> But the target code also enforces napd == 1, so it ends up being the same.
>
> Reviewed-by: Chris Leech <cleech at redhat.com>
I hardcoded 1 rather than using neg->napd since napd comes from the
wire — if a malicious
host sends napd=0, struct_size() would only require the 8-byte header,
and the subsequent
access to auth_protocol[0] in nvmet_auth_negotiate() would still be
out of bounds. Since
the target enforces napd == 1 anyway, the end result is the same as you noted.
Thanks
Yunje Shin
More information about the Linux-nvme
mailing list