[PATCH] nvmet fabrics-cmd-auth.c : validate negotiate payload length(KASAN: slab-out-of-bounds in nvmet_execute_auth_send+0x1d24/0x2090)

[PATCH] nvmet fabrics-cmd-auth.c : validate negotiate payload length(KASAN: slab-out-of-bounds in nvmet_execute_auth_send+0x1d24/0x2090)

[YunJe Shin]

AUTH_SEND negotiation expects at least one DH-HMAC-CHAP protocol descriptor. 
Reject payloads shorter than that to avoid out-of-bounds reads.

[ 1224.388831] Call Trace:
[ 1224.388833]  <TASK>
[ 1224.388834]  dump_stack_lvl+0x53/0x70
[ 1224.388839]  print_report+0xd0/0x660
[ 1224.388843]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 1224.388847]  ? kasan_save_track+0x14/0x30
[ 1224.388851]  ? nvmet_execute_auth_send+0x1d24/0x2090
[ 1224.388854]  kasan_report+0xce/0x100
[ 1224.388857]  ? nvmet_execute_auth_send+0x1d24/0x2090
[ 1224.388860]  nvmet_execute_auth_send+0x1d24/0x2090
[ 1224.388863]  ? __pfx_inet_recvmsg+0x10/0x10
[ 1224.388868]  ? sock_recvmsg+0x178/0x220
[ 1224.388871]  nvmet_tcp_io_work+0x1709/0x2200
[ 1224.388875]  ? __pfx_nvmet_tcp_io_work+0x10/0x10
[ 1224.388878]  process_one_work+0x5e7/0xfe0
[ 1224.388882]  ? assign_work+0x11d/0x370
[ 1224.388885]  worker_thread+0x446/0xd00
[ 1224.388888]  ? __pfx_worker_thread+0x10/0x10
[ 1224.388891]  ? __pfx_worker_thread+0x10/0x10
[ 1224.388894]  kthread+0x2c6/0x3b0
[ 1224.388896]  ? recalc_sigpending+0x15c/0x1e0
[ 1224.388900]  ? __pfx_kthread+0x10/0x10
[ 1224.388902]  ret_from_fork+0x38d/0x5c0
[ 1224.388906]  ? __pfx_ret_from_fork+0x10/0x10
[ 1224.388909]  ? __switch_to+0xb13/0xea0
[ 1224.388912]  ? __switch_to_asm+0x39/0x70
[ 1224.388916]  ? __switch_to_asm+0x33/0x70
[ 1224.388918]  ? __pfx_kthread+0x10/0x10
[ 1224.388920]  ret_from_fork_asm+0x1a/0x30
[ 1224.388924]  </TASK>
[ 1224.388925]
[ 1224.403207] Allocated by task 670:
[ 1224.403446]  kasan_save_stack+0x33/0x60
[ 1224.403723]  kasan_save_track+0x14/0x30
[ 1224.403987]  __kasan_kmalloc+0x8f/0xa0
[ 1224.404286]  __kmalloc_noprof+0x18e/0x480
[ 1224.404631]  nvmet_execute_auth_send+0x3be/0x2090
[ 1224.405016]  nvmet_tcp_io_work+0x1709/0x2200
[ 1224.405356]  process_one_work+0x5e7/0xfe0
[ 1224.405695]  worker_thread+0x446/0xd00
[ 1224.405996]  kthread+0x2c6/0x3b0
[ 1224.406256]  ret_from_fork+0x38d/0x5c0
[ 1224.406578]  ret_from_fork_asm+0x1a/0x30
[ 1224.406907]
[ 1224.407035] The buggy address belongs to the object at ffff88800a6537c0
[ 1224.407035]  which belongs to the cache kmalloc-8 of size 8
[ 1224.407998] The buggy address is located 0 bytes to the right of
[ 1224.407998]  allocated 8-byte region [ffff88800a6537c0, ffff88800a6537c8)
[ 1224.409014]
[ 1224.409155] The buggy address belongs to the physical page:
[ 1224.409669] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88800a653a00 pfn:0xa653
[ 1224.410401] flags: 0x100000000000200(workingset|node=0|zone=1)
[ 1224.410895] page_type: f5(slab)
[ 1224.411160] raw: 0100000000000200 ffff888007441500 ffff888007440210 ffff888007440210
[ 1224.411787] raw: ffff88800a653a00 0000000000800050 00000000f5000000 0000000000000000
[ 1224.412412] page dumped because: kasan: bad access detected
[ 1224.412866]
[ 1224.413006] Memory state around the buggy address:
[ 1224.413391]  ffff88800a653680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1224.413963]  ffff88800a653700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1224.414544] >ffff88800a653780: fc fc fc fc fc fc fc fc 00 fc fc fc fa fc fc fc
[ 1224.415045]                                               ^
[ 1224.415444]  ffff88800a653800: fa fc fc fc fa fc fc fc 06 fc fc fc 07 fc fc fc
[ 1224.416028]  ffff88800a653880: 07 fc fc fc 07 fc fc fc 07 fc fc fc 07 fc fc fc
[ 1224.416630] ==================================================================


Fixes: db1312dd95488 ("nvmet: implement basic In-Band Authentication")
Signed-off-by: Yunje Shin <ioerts@kookmin.ac.kr>
---
 drivers/nvme/target/fabrics-cmd-auth.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/fabrics-cmd-auth.c
index 5946681cb0e3..2bcee44b3395 100644
--- a/drivers/nvme/target/fabrics-cmd-auth.c
+++ b/drivers/nvme/target/fabrics-cmd-auth.c
@@ -289,6 +289,15 @@ void nvmet_execute_auth_send(struct nvmet_req *req)
 		goto done_failure1;
 	if (data->auth_type == NVME_AUTH_COMMON_MESSAGES) {
 		if (data->auth_id == NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE) {
+			size_t min_len = sizeof(struct nvmf_auth_dhchap_negotiate_data) +
+				sizeof(struct nvmf_auth_dhchap_protocol_descriptor);
+
+			if (tl < min_len) {
+				status = NVME_SC_INVALID_FIELD | NVME_STATUS_DNR;
+				req->error_loc =
+					offsetof(struct nvmf_auth_send_command, tl);
+				goto done_kfree;
+			}
 			/* Restart negotiation */
 			pr_debug("%s: ctrl %d qid %d reset negotiation\n",
 				 __func__, ctrl->cntlid, req->sq->qid);
-- 
2.43.0

Re: [PATCH] nvmet fabrics-cmd-auth.c : validate negotiate payload length(KASAN: slab-out-of-bounds in nvmet_execute_auth_send+0x1d24/0x2090)

[Christoph Hellwig]

On Wed, Feb 11, 2026 at 02:50:03PM +0900, YunJe Shin wrote:

> < snip>

Please don't spam the commit message with the entire backtrace.

> index 5946681cb0e3..2bcee44b3395 100644
> --- a/drivers/nvme/target/fabrics-cmd-auth.c
> +++ b/drivers/nvme/target/fabrics-cmd-auth.c
> @@ -289,6 +289,15 @@ void nvmet_execute_auth_send(struct nvmet_req *req)
>  		goto done_failure1;
>  	if (data->auth_type == NVME_AUTH_COMMON_MESSAGES) {
>  		if (data->auth_id == NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE) {
> +			size_t min_len = sizeof(struct nvmf_auth_dhchap_negotiate_data) +
> +				sizeof(struct nvmf_auth_dhchap_protocol_descriptor);

This should be be using struct_size.  And all of this is way too long,
please use the chance to split this out into a helper:

		if (data->auth_id == NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE) {
			if (!nvmet_restart_dhchap_auth(req))
				goto done_kfree;
		} else if (data->auth_id != req->sq->dhchap_step)
		case 

		struct_

> +
> +			if (tl < min_len) {
> +				status = NVME_SC_INVALID_FIELD | NVME_STATUS_DNR;
> +				req->error_loc =
> +					offsetof(struct nvmf_auth_send_command, tl);
> +				goto done_kfree;
> +			}

None of the functions here uses nvme errors returns, but instead uses
dhchap_status.  Should this be NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD
instead?  (not really an expert on the dhchap status conventions,
maybe someone else can chime in)

[PATCH v2] nvmet-auth: validate negotiate payload length(BUG: KASAN: slab-out-of-bounds)

[YunJe Shin]

From: Yunje Shin <ioerts@kookmin.ac.kr>

AUTH_SEND negotiation requires at least one DH-HMAC-CHAP protocol descriptor.
Validate the payload length before parsing the negotiate payload to avoid
out-of-bounds reads.

KASAN splat:
[ 1224.388857] BUG: KASAN: slab-out-of-bounds in nvmet_execute_auth_send+0x1d24/0x2090
[ 1224.407035] The buggy address belongs to the cache kmalloc-8 of size 8
[ 1224.407998] allocated 8-byte region [ffff88800a6537c0, ffff88800a6537c8)
[ 1224.412412] page dumped because: kasan: bad access detected

Use struct_size() for minimum length computation and move the negotiate
restart flow into a helper so the call site stays compact.

Fixes: db1312dd95488 ("nvmet: implement basic In-Band Authentication")
Signed-off-by: Yunje Shin <ioerts@kookmin.ac.kr>
---
v2:
- use struct_size() for negotiate payload minimum length
- split negotiate handling into nvmet_restart_dhchap_auth() helper
- use NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD instead of NVMe status

drivers/nvme/target/fabrics-cmd-auth.c | 48 +++++++++++++++++---------
 1 file changed, 32 insertions(+), 16 deletions(-)

diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/fabrics-cmd-auth.c
index 5946681cb0e3..3773980bcb1c 100644
--- a/drivers/nvme/target/fabrics-cmd-auth.c
+++ b/drivers/nvme/target/fabrics-cmd-auth.c
@@ -231,6 +231,36 @@ u32 nvmet_auth_send_data_len(struct nvmet_req *req)
 	return le32_to_cpu(req->cmd->auth_send.tl);
 }
 
+static bool nvmet_restart_dhchap_auth(struct nvmet_req *req, void *d, u32 tl)
+{
+	struct nvmet_ctrl *ctrl = req->sq->ctrl;
+	struct nvmf_auth_dhchap_negotiate_data *neg = d;
+	u8 dhchap_status;
+	size_t min_len = struct_size(neg, auth_protocol, 1);
+
+	if (tl < min_len) {
+		req->sq->dhchap_status = NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD;
+		req->sq->dhchap_step = NVME_AUTH_DHCHAP_MESSAGE_FAILURE1;
+		return false;
+	}
+
+	/* Restart negotiation */
+	pr_debug("%s: ctrl %d qid %d reset negotiation\n",
+		 __func__, ctrl->cntlid, req->sq->qid);
+	if (!req->sq->qid) {
+		dhchap_status = nvmet_setup_auth(ctrl, req->sq);
+		if (dhchap_status) {
+			pr_err("ctrl %d qid 0 failed to setup re-authentication\n",
+			       ctrl->cntlid);
+			req->sq->dhchap_status = dhchap_status;
+			req->sq->dhchap_step = NVME_AUTH_DHCHAP_MESSAGE_FAILURE1;
+			return false;
+		}
+	}
+	req->sq->dhchap_step = NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE;
+	return true;
+}
+
 void nvmet_execute_auth_send(struct nvmet_req *req)
 {
 	struct nvmet_ctrl *ctrl = req->sq->ctrl;
@@ -289,22 +319,8 @@ void nvmet_execute_auth_send(struct nvmet_req *req)
 		goto done_failure1;
 	if (data->auth_type == NVME_AUTH_COMMON_MESSAGES) {
 		if (data->auth_id == NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE) {
-			/* Restart negotiation */
-			pr_debug("%s: ctrl %d qid %d reset negotiation\n",
-				 __func__, ctrl->cntlid, req->sq->qid);
-			if (!req->sq->qid) {
-				dhchap_status = nvmet_setup_auth(ctrl, req->sq);
-				if (dhchap_status) {
-					pr_err("ctrl %d qid 0 failed to setup re-authentication\n",
-					       ctrl->cntlid);
-					req->sq->dhchap_status = dhchap_status;
-					req->sq->dhchap_step =
-						NVME_AUTH_DHCHAP_MESSAGE_FAILURE1;
-					goto done_kfree;
-				}
-			}
-			req->sq->dhchap_step =
-				NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE;
+			if (!nvmet_restart_dhchap_auth(req, d, tl))
+				goto done_kfree;
 		} else if (data->auth_id != req->sq->dhchap_step)
 			goto done_failure1;
 		/* Validate negotiation parameters */
-- 
2.43.0

Re: [PATCH v2] nvmet-auth: validate negotiate payload length(BUG: KASAN: slab-out-of-bounds)

[Hannes Reinecke]

On 2/12/26 02:33, YunJe Shin wrote:
> From: Yunje Shin <ioerts@kookmin.ac.kr>
> 
> AUTH_SEND negotiation requires at least one DH-HMAC-CHAP protocol descriptor.
> Validate the payload length before parsing the negotiate payload to avoid
> out-of-bounds reads.
> 
> KASAN splat:
> [ 1224.388857] BUG: KASAN: slab-out-of-bounds in nvmet_execute_auth_send+0x1d24/0x2090
> [ 1224.407035] The buggy address belongs to the cache kmalloc-8 of size 8
> [ 1224.407998] allocated 8-byte region [ffff88800a6537c0, ffff88800a6537c8)
> [ 1224.412412] page dumped because: kasan: bad access detected
> 
> Use struct_size() for minimum length computation and move the negotiate
> restart flow into a helper so the call site stays compact.
> 
> Fixes: db1312dd95488 ("nvmet: implement basic In-Band Authentication")
> Signed-off-by: Yunje Shin <ioerts@kookmin.ac.kr>
> ---
> v2:
> - use struct_size() for negotiate payload minimum length
> - split negotiate handling into nvmet_restart_dhchap_auth() helper
> - use NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD instead of NVMe status
> 
Reviewed-by: Hannes Reinecke <hare@suse.de>

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                  Kernel Storage Architect
hare@suse.de                                +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich

Re: [PATCH v2] nvmet-auth: validate negotiate payload length(BUG: KASAN: slab-out-of-bounds)

[yunje shin]

Hi,
Gentle ping on this patch.
I wanted to check if it can be queued.

Thanks,
Yunje Shin

On Thu, Feb 12, 2026 at 8:03 PM Hannes Reinecke <hare@suse.de> wrote:
>
> On 2/12/26 02:33, YunJe Shin wrote:
> > From: Yunje Shin <ioerts@kookmin.ac.kr>
> >
> > AUTH_SEND negotiation requires at least one DH-HMAC-CHAP protocol descriptor.
> > Validate the payload length before parsing the negotiate payload to avoid
> > out-of-bounds reads.
> >
> > KASAN splat:
> > [ 1224.388857] BUG: KASAN: slab-out-of-bounds in nvmet_execute_auth_send+0x1d24/0x2090
> > [ 1224.407035] The buggy address belongs to the cache kmalloc-8 of size 8
> > [ 1224.407998] allocated 8-byte region [ffff88800a6537c0, ffff88800a6537c8)
> > [ 1224.412412] page dumped because: kasan: bad access detected
> >
> > Use struct_size() for minimum length computation and move the negotiate
> > restart flow into a helper so the call site stays compact.
> >
> > Fixes: db1312dd95488 ("nvmet: implement basic In-Band Authentication")
> > Signed-off-by: Yunje Shin <ioerts@kookmin.ac.kr>
> > ---
> > v2:
> > - use struct_size() for negotiate payload minimum length
> > - split negotiate handling into nvmet_restart_dhchap_auth() helper
> > - use NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD instead of NVMe status
> >
> Reviewed-by: Hannes Reinecke <hare@suse.de>
>
> Cheers,
>
> Hannes
> --
> Dr. Hannes Reinecke                  Kernel Storage Architect
> hare@suse.de                                +49 911 74053 688
> SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
> HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich

Re: [PATCH v2] nvmet-auth: validate negotiate payload length(BUG: KASAN: slab-out-of-bounds)

[yunje shin]

Hi Keith,

Could you take a look at this patch when you get a chance?

It fixes a KASAN slab-out-of-bounds in nvmet_execute_auth_send() by
validating the negotiate payload length before parsing.

Just wanted to check if this can be queued.

Thanks,

Yunje Shin

On Mon, Mar 9, 2026 at 12:12 AM yunje shin <yjshin0438@gmail.com> wrote:
>
> Hi,
> Gentle ping on this patch.
> I wanted to check if it can be queued.
>
> Thanks,
> Yunje Shin
>
> On Thu, Feb 12, 2026 at 8:03 PM Hannes Reinecke <hare@suse.de> wrote:
> >
> > On 2/12/26 02:33, YunJe Shin wrote:
> > > From: Yunje Shin <ioerts@kookmin.ac.kr>
> > >
> > > AUTH_SEND negotiation requires at least one DH-HMAC-CHAP protocol descriptor.
> > > Validate the payload length before parsing the negotiate payload to avoid
> > > out-of-bounds reads.
> > >
> > > KASAN splat:
> > > [ 1224.388857] BUG: KASAN: slab-out-of-bounds in nvmet_execute_auth_send+0x1d24/0x2090
> > > [ 1224.407035] The buggy address belongs to the cache kmalloc-8 of size 8
> > > [ 1224.407998] allocated 8-byte region [ffff88800a6537c0, ffff88800a6537c8)
> > > [ 1224.412412] page dumped because: kasan: bad access detected
> > >
> > > Use struct_size() for minimum length computation and move the negotiate
> > > restart flow into a helper so the call site stays compact.
> > >
> > > Fixes: db1312dd95488 ("nvmet: implement basic In-Band Authentication")
> > > Signed-off-by: Yunje Shin <ioerts@kookmin.ac.kr>
> > > ---
> > > v2:
> > > - use struct_size() for negotiate payload minimum length
> > > - split negotiate handling into nvmet_restart_dhchap_auth() helper
> > > - use NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD instead of NVMe status
> > >
> > Reviewed-by: Hannes Reinecke <hare@suse.de>
> >
> > Cheers,
> >
> > Hannes
> > --
> > Dr. Hannes Reinecke                  Kernel Storage Architect
> > hare@suse.de                                +49 911 74053 688
> > SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
> > HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich

Re: [PATCH v2] nvmet-auth: validate negotiate payload length(BUG: KASAN: slab-out-of-bounds)

[Chris Leech]

On Thu, Feb 12, 2026 at 10:33:18AM +0900, YunJe Shin wrote:
> From: Yunje Shin <ioerts@kookmin.ac.kr>
> 
> AUTH_SEND negotiation requires at least one DH-HMAC-CHAP protocol descriptor.
> Validate the payload length before parsing the negotiate payload to avoid
> out-of-bounds reads.
> 
> KASAN splat:
> [ 1224.388857] BUG: KASAN: slab-out-of-bounds in nvmet_execute_auth_send+0x1d24/0x2090
> [ 1224.407035] The buggy address belongs to the cache kmalloc-8 of size 8
> [ 1224.407998] allocated 8-byte region [ffff88800a6537c0, ffff88800a6537c8)
> [ 1224.412412] page dumped because: kasan: bad access detected
> 
> Use struct_size() for minimum length computation and move the negotiate
> restart flow into a helper so the call site stays compact.
> 
> Fixes: db1312dd95488 ("nvmet: implement basic In-Band Authentication")
> Signed-off-by: Yunje Shin <ioerts@kookmin.ac.kr>
> ---
> v2:
> - use struct_size() for negotiate payload minimum length
> - split negotiate handling into nvmet_restart_dhchap_auth() helper
> - use NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD instead of NVMe status
> 
> drivers/nvme/target/fabrics-cmd-auth.c | 48 +++++++++++++++++---------
>  1 file changed, 32 insertions(+), 16 deletions(-)
> ...
> +	size_t min_len = struct_size(neg, auth_protocol, 1);

Maybe this could have been struct_size(neg, auth_protocol, neg->napd)?
But the target code also enforces napd == 1, so it ends up being the same.

Reviewed-by: Chris Leech <cleech@redhat.com>

Re: [PATCH v2] nvmet-auth: validate negotiate payload length(BUG: KASAN: slab-out-of-bounds)

[yunje shin]

  Hi Keith,

  Just following up on this patch. It fixes a network-reachable KASAN
slab-out-of-bounds in
  nvmet_execute_auth_send().

  Could this be queued for nvme-fixes?

  Thanks,
  Yunje Shin

On Wed, Mar 11, 2026 at 5:47 AM Chris Leech <cleech@redhat.com> wrote:
>
> On Thu, Feb 12, 2026 at 10:33:18AM +0900, YunJe Shin wrote:
> > From: Yunje Shin <ioerts@kookmin.ac.kr>
> >
> > AUTH_SEND negotiation requires at least one DH-HMAC-CHAP protocol descriptor.
> > Validate the payload length before parsing the negotiate payload to avoid
> > out-of-bounds reads.
> >
> > KASAN splat:
> > [ 1224.388857] BUG: KASAN: slab-out-of-bounds in nvmet_execute_auth_send+0x1d24/0x2090
> > [ 1224.407035] The buggy address belongs to the cache kmalloc-8 of size 8
> > [ 1224.407998] allocated 8-byte region [ffff88800a6537c0, ffff88800a6537c8)
> > [ 1224.412412] page dumped because: kasan: bad access detected
> >
> > Use struct_size() for minimum length computation and move the negotiate
> > restart flow into a helper so the call site stays compact.
> >
> > Fixes: db1312dd95488 ("nvmet: implement basic In-Band Authentication")
> > Signed-off-by: Yunje Shin <ioerts@kookmin.ac.kr>
> > ---
> > v2:
> > - use struct_size() for negotiate payload minimum length
> > - split negotiate handling into nvmet_restart_dhchap_auth() helper
> > - use NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD instead of NVMe status
> >
> > drivers/nvme/target/fabrics-cmd-auth.c | 48 +++++++++++++++++---------
> >  1 file changed, 32 insertions(+), 16 deletions(-)
> > ...
> > +     size_t min_len = struct_size(neg, auth_protocol, 1);
>
> Maybe this could have been struct_size(neg, auth_protocol, neg->napd)?
> But the target code also enforces napd == 1, so it ends up being the same.
>
> Reviewed-by: Chris Leech <cleech@redhat.com>
>

Re: [PATCH v2] nvmet-auth: validate negotiate payload length(BUG: KASAN: slab-out-of-bounds)

[yunje shin]

On Wed, Mar 11, 2026 at 5:47 AM Chris Leech <cleech@redhat.com> wrote:
> Maybe this could have been struct_size(neg, auth_protocol, neg->napd)?
> But the target code also enforces napd == 1, so it ends up being the same.
>
> Reviewed-by: Chris Leech <cleech@redhat.com>

I hardcoded 1 rather than using neg->napd since napd comes from the
wire — if a malicious
host sends napd=0, struct_size() would only require the 8-byte header,
and the subsequent
access to auth_protocol[0] in nvmet_auth_negotiate() would still be
out of bounds. Since
the target enforces napd == 1 anyway, the end result is the same as you noted.

Thanks
Yunje Shin