nvme/ctrlr: fix namespaces indexed overflow risk

Change-Id: Ied1de194621a02f6eeaafc23ce5ff467760a71aa
Signed-off-by: Mao Jiang <maox.jiang@intel.com>
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/7772
Community-CI: Broadcom CI
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: Changpeng Liu <changpeng.liu@intel.com>
Reviewed-by: Aleksey Marchuk <alexeymar@mellanox.com>
Reviewed-by: Shuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com>
This commit is contained in:
Mao Jiang 2021-05-06 15:54:58 +08:00 committed by Tomasz Zawadzki
parent b940247b3e
commit 3067ecaa0c

View File

@ -3771,6 +3771,10 @@ spdk_nvme_ctrlr_attach_ns(struct spdk_nvme_ctrlr *ctrlr, uint32_t nsid,
int res; int res;
struct spdk_nvme_ns *ns; struct spdk_nvme_ns *ns;
if (nsid == 0) {
return -EINVAL;
}
status = calloc(1, sizeof(*status)); status = calloc(1, sizeof(*status));
if (!status) { if (!status) {
NVME_CTRLR_ERRLOG(ctrlr, "Failed to allocate status tracker\n"); NVME_CTRLR_ERRLOG(ctrlr, "Failed to allocate status tracker\n");
@ -3809,6 +3813,10 @@ spdk_nvme_ctrlr_detach_ns(struct spdk_nvme_ctrlr *ctrlr, uint32_t nsid,
int res; int res;
struct spdk_nvme_ns *ns; struct spdk_nvme_ns *ns;
if (nsid == 0) {
return -EINVAL;
}
status = calloc(1, sizeof(*status)); status = calloc(1, sizeof(*status));
if (!status) { if (!status) {
NVME_CTRLR_ERRLOG(ctrlr, "Failed to allocate status tracker\n"); NVME_CTRLR_ERRLOG(ctrlr, "Failed to allocate status tracker\n");
@ -3870,8 +3878,11 @@ spdk_nvme_ctrlr_create_ns(struct spdk_nvme_ctrlr *ctrlr, struct spdk_nvme_ns_dat
} }
nsid = status->cpl.cdw0; nsid = status->cpl.cdw0;
ns = &ctrlr->ns[nsid - 1];
free(status); free(status);
assert(nsid > 0);
ns = &ctrlr->ns[nsid - 1];
/* Inactive NS */ /* Inactive NS */
res = nvme_ns_construct(ns, nsid, ctrlr); res = nvme_ns_construct(ns, nsid, ctrlr);
if (res) { if (res) {
@ -3889,6 +3900,10 @@ spdk_nvme_ctrlr_delete_ns(struct spdk_nvme_ctrlr *ctrlr, uint32_t nsid)
int res; int res;
struct spdk_nvme_ns *ns; struct spdk_nvme_ns *ns;
if (nsid == 0) {
return -EINVAL;
}
status = calloc(1, sizeof(*status)); status = calloc(1, sizeof(*status));
if (!status) { if (!status) {
NVME_CTRLR_ERRLOG(ctrlr, "Failed to allocate status tracker\n"); NVME_CTRLR_ERRLOG(ctrlr, "Failed to allocate status tracker\n");