From 5d5181db706fc5ea634708a0317ef6ad3951a36a Mon Sep 17 00:00:00 2001
From: wuzhouhui <wuzhouhui@kingsoft.com>
Date: Wed, 10 Oct 2018 23:09:26 +0800
Subject: [PATCH] nvme/rdma: fix a stack-buffer-overflow error

spdk_mem_map_translate() dereference a uint64_t * to get a
8-bytes long integer, but nvme_rdma_build_sgl_request() just passes
a 4-bytes long integer as last parameter, this causes a
stack-buffer-overflow error.

Reported in https://ci.spdk.io/spdk/builds/review/3ba5ea908781fc5ad311d81bae0b7022ad7b5c51.1539172863/fedora-05/build.log

Change-Id: Id1cda22114fef466dbb930b502e3a68310331f0e
Signed-off-by: wuzhouhui <wuzhouhui@kingsoft.com>
Reviewed-on: https://review.gerrithub.io/428693
Chandler-Test-Pool: SPDK Automated Test System <sys_sgsw@intel.com>
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: Ben Walker <benjamin.walker@intel.com>
Reviewed-by: Changpeng Liu <changpeng.liu@intel.com>
---
 lib/nvme/nvme_rdma.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/nvme/nvme_rdma.c b/lib/nvme/nvme_rdma.c
index 8393a73d8..5b330e77e 100644
--- a/lib/nvme/nvme_rdma.c
+++ b/lib/nvme/nvme_rdma.c
@@ -929,8 +929,8 @@ nvme_rdma_build_sgl_request(struct nvme_rdma_qpair *rqpair,
 	struct spdk_nvmf_cmd *cmd = &rqpair->cmds[rdma_req->id];
 	struct ibv_mr *mr = NULL;
 	void *virt_addr;
-	uint64_t remaining_size;
-	uint32_t sge_length, mr_length;
+	uint64_t remaining_size, mr_length;
+	uint32_t sge_length;
 	int rc, max_num_sgl, num_sgl_desc;
 
 	assert(req->payload_size != 0);
@@ -953,7 +953,7 @@ nvme_rdma_build_sgl_request(struct nvme_rdma_qpair *rqpair,
 		mr_length = sge_length;
 
 		mr = (struct ibv_mr *)spdk_mem_map_translate(rqpair->mr_map->map, (uint64_t)virt_addr,
-				(uint64_t *)&mr_length);
+				&mr_length);
 
 		if (mr == NULL || mr_length < sge_length) {
 			return -1;