hw/block/nvme: fix ns attachment out-of-bounds read

nvme_ns_attachment() does not verify the contents of the host-supplied 16 bit "Number of Identifiers" field in the command payload. Make sure the value is capped at 2047 and fix the out-of-bounds read. Fixes: 645ce1a ("hw/block/nvme: support namespace attachment command") Cc: Minwoo Im <[email protected]> Signed-off-by: Klaus Jensen <[email protected]> Reviewed-by: Minwoo Im <[email protected]>
zhugh2333 · Apr 7, 2021 · 8eb5c80 · 8eb5c80
1 parent 102ce60
commit 8eb5c80
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/hw/block/nvme.c b/hw/block/nvme.c
@@ -4920,6 +4920,7 @@ static uint16_t nvme_ns_attachment(NvmeCtrl *n, NvmeRequest *req)
         return NVME_NS_CTRL_LIST_INVALID | NVME_DNR;
     }
 
+    *nr_ids = MIN(*nr_ids, NVME_CONTROLLER_LIST_SIZE - 1);
     for (i = 0; i < *nr_ids; i++) {
         ctrl = nvme_subsys_ctrl(n->subsys, ids[i]);
         if (!ctrl) {