lib/nvmf: properly validate fuse command fields.

The fuse command value is a two byte value, but we were only checking to see if the fuse value was equal to SPDK_NVME_CMD_FUSE_FIRST or SPDK_NVME_CMD_FUSE_SECOND in spdk_nvmf_ctrlr_process_io_fused_cmd. If a haywire initiator sent a command with a fused value equal to SPDK_NVME_CMD_FUSE_MASK, that would result in us skipping all checks and dereferencing a null pointer in spdk_nvmf_bdev_ctrlr_compare_and_write_cmd. To fix this, add an extra condition to validate the cuse field. Change-Id: I1ec4169ff5637562effd694f7046c6e3389627f1 Signed-off-by: Seth Howell <seth.howell@intel.com> Reviewed-on: https://review.gerrithub.io/c/spdk/spdk/+/483123 Reviewed-by: Ben Walker <benjamin.walker@intel.com> Reviewed-by: Shuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com> Reviewed-by: Alexey Marchuk <alexeymar@mellanox.com> Tested-by: SPDK CI Jenkins <sys_sgci@intel.com> Community-CI: Broadcom SPDK FC-NVMe CI <spdk-ci.pdl@broadcom.com>
2020-01-28 08:56:00 -07:00 · 2020-01-28 08:56:00 -07:00 · f0ca01e102
commit f0ca01e102
parent 8b74c02390
1 changed files with 5 additions and 0 deletions
--- a/lib/nvmf/ctrlr.c
+++ b/lib/nvmf/ctrlr.c
@ -2496,6 +2496,11 @@ spdk_nvmf_ctrlr_process_io_fused_cmd(struct spdk_nvmf_request *req, struct spdk_
 		/* save request of first command to generate response later */
 		req->first_fused_req = first_fused_req;
 		req->qpair->first_fused_req = NULL;
+	} else {
+		SPDK_ERRLOG("Invalid fused command fuse field.\n");
+		rsp->status.sct = SPDK_NVME_SCT_GENERIC;
+		rsp->status.sc = SPDK_NVME_SC_INVALID_FIELD;
+		return SPDK_NVMF_REQUEST_EXEC_STATUS_COMPLETE;
 	}

 	rc = spdk_nvmf_bdev_ctrlr_compare_and_write_cmd(bdev, desc, ch, req->first_fused_req, req);