From: Christoph Hellwig <hch@lst.de>
To: YunJe Shin <yjshin0438@gmail.com>
Cc: Hannes Reinecke <hare@suse.de>, Christoph Hellwig <hch@lst.de>,
Sagi Grimberg <sagi@grimberg.me>,
Chaitanya Kulkarni <kch@nvidia.com>,
Keith Busch <kbusch@kernel.org>,
linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org,
ioerts@kookmin.ac.kr
Subject: Re: [PATCH] nvmet fabrics-cmd-auth.c : validate negotiate payload length(KASAN: slab-out-of-bounds in nvmet_execute_auth_send+0x1d24/0x2090)
Date: Wed, 11 Feb 2026 17:08:59 +0100 [thread overview]
Message-ID: <20260211160859.GA11869@lst.de> (raw)
In-Reply-To: <20260211055036.2675866-1-ioerts@kookmin.ac.kr>
On Wed, Feb 11, 2026 at 02:50:03PM +0900, YunJe Shin wrote:
> < snip>
Please don't spam the commit message with the entire backtrace.
> index 5946681cb0e3..2bcee44b3395 100644
> --- a/drivers/nvme/target/fabrics-cmd-auth.c
> +++ b/drivers/nvme/target/fabrics-cmd-auth.c
> @@ -289,6 +289,15 @@ void nvmet_execute_auth_send(struct nvmet_req *req)
> goto done_failure1;
> if (data->auth_type == NVME_AUTH_COMMON_MESSAGES) {
> if (data->auth_id == NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE) {
> + size_t min_len = sizeof(struct nvmf_auth_dhchap_negotiate_data) +
> + sizeof(struct nvmf_auth_dhchap_protocol_descriptor);
This should be be using struct_size. And all of this is way too long,
please use the chance to split this out into a helper:
if (data->auth_id == NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE) {
if (!nvmet_restart_dhchap_auth(req))
goto done_kfree;
} else if (data->auth_id != req->sq->dhchap_step)
case
struct_
> +
> + if (tl < min_len) {
> + status = NVME_SC_INVALID_FIELD | NVME_STATUS_DNR;
> + req->error_loc =
> + offsetof(struct nvmf_auth_send_command, tl);
> + goto done_kfree;
> + }
None of the functions here uses nvme errors returns, but instead uses
dhchap_status. Should this be NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD
instead? (not really an expert on the dhchap status conventions,
maybe someone else can chime in)
next prev parent reply other threads:[~2026-02-11 16:09 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-11 5:50 [PATCH] nvmet fabrics-cmd-auth.c : validate negotiate payload length(KASAN: slab-out-of-bounds in nvmet_execute_auth_send+0x1d24/0x2090) YunJe Shin
2026-02-11 16:08 ` Christoph Hellwig [this message]
2026-02-12 1:33 ` [PATCH v2] nvmet-auth: validate negotiate payload length(BUG: KASAN: slab-out-of-bounds) YunJe Shin
2026-02-12 11:03 ` Hannes Reinecke
2026-03-08 15:12 ` yunje shin
2026-03-10 18:14 ` yunje shin
2026-03-10 20:47 ` Chris Leech
2026-03-13 6:05 ` yunje shin
2026-03-13 6:11 ` yunje shin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260211160859.GA11869@lst.de \
--to=hch@lst.de \
--cc=hare@suse.de \
--cc=ioerts@kookmin.ac.kr \
--cc=kbusch@kernel.org \
--cc=kch@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
--cc=yjshin0438@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox