ivampiresp/Spdk
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nvmf: Check buffer array overflow in spdk_nvmf_request_get_buffers()

Browse Source 
This patch makes multi SGL case possible to call spdk_nvmf_request_get_buffers()
per WR.

Signed-off-by: Shuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com>
Change-Id: I977ebb0c6b2a67218c9b6fc20dc26a93a6ec770b
Reviewed-on: https://review.gerrithub.io/c/spdk/spdk/+/468943
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: Alexey Marchuk <alexeymar@mellanox.com>
Reviewed-by: Ben Walker <benjamin.walker@intel.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>
Reviewed-by: Seth Howell <seth.howell@intel.com>
This commit is contained in:
Shuhei Matsumoto 2019-09-20 14:19:28 +09:00 committed by Jim Harris
parent 79945ef0ed
commit 22cd4fe2ce
3 changed files with 18 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
lib/nvmf/rdma.c
View File

@ -1754,15 +1754,11 @@ nvmf_rdma_request_fill_iovs_multi_sgl(struct spdk_nvmf_rdma_transport *rtranspor
num_buffers += SPDK_CEIL_DIV(desc->keyed.length, rtransport->transport.opts.io_unit_size);
desc++;
}
/* If the number of buffers is too large, then we know the I/O is larger than allowed. Fail it. */
if (num_buffers > NVMF_REQ_MAX_BUFFERS) {
rc = spdk_nvmf_request_get_buffers(req, &rgroup->group, &rtransport->transport,
num_buffers);
if (rc != 0) {
nvmf_rdma_request_free_data(rdma_req, rtransport);
return -EINVAL;
}
if (spdk_nvmf_request_get_buffers(req, &rgroup->group, &rtransport->transport,
num_buffers) != 0) {
nvmf_rdma_request_free_data(rdma_req, rtransport);
return -ENOMEM;
return rc;
}
/* The first WR must always be the embedded data WR. This is how we unwind them later. */

7
lib/nvmf/transport.c
View File

@ -397,6 +397,13 @@ spdk_nvmf_request_get_buffers(struct spdk_nvmf_request *req,
{
uint32_t i = 0;
/* If the number of buffers is too large, then we know the I/O is larger than allowed.
* Fail it.
*/
if (num_buffers + req->num_buffers > NVMF_REQ_MAX_BUFFERS) {
return -EINVAL;
}
while (i < num_buffers) {
if (!(STAILQ_EMPTY(&group->buf_cache))) {
group->buf_cache_count--;

7
test/unit/lib/nvmf/rdma.c/rdma_ut.c
View File

@ -111,6 +111,13 @@ spdk_nvmf_request_get_buffers(struct spdk_nvmf_request *req,
{
uint32_t i = 0;
/* If the number of buffers is too large, then we know the I/O is larger than allowed.
* Fail it.
*/
if (num_buffers + req->num_buffers > NVMF_REQ_MAX_BUFFERS) {
return -EINVAL;
}
while (i < num_buffers) {
if (!(STAILQ_EMPTY(&group->buf_cache))) {
group->buf_cache_count--;