From 8fbcc1e3eceda48e8000c4d6e7d80161656597fb Mon Sep 17 00:00:00 2001
From: Seth Howell <seth.howell@intel.com>
Date: Wed, 2 Aug 2017 13:41:20 -0700
Subject: [PATCH] nvme_ns_cmd: add overflow check in write_zeroes function

The value for lba_count is stored in a 0-based 16 bit register. here we
confirm that the value passed to that register is no larger than 2^16.

Change-Id: I234e55fc2b61338444dfe8f734e76f958d1f0443
Signed-off-by: Seth Howell <seth.howell@intel.com>
Reviewed-on: https://review.gerrithub.io/372370
Tested-by: SPDK Automated Test System <sys_sgsw@intel.com>
Reviewed-by: Daniel Verkamp <daniel.verkamp@intel.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>
---
 lib/nvme/nvme_ns_cmd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/nvme/nvme_ns_cmd.c b/lib/nvme/nvme_ns_cmd.c
index 797c06ccb..dd39bcbb4 100644
--- a/lib/nvme/nvme_ns_cmd.c
+++ b/lib/nvme/nvme_ns_cmd.c
@@ -714,7 +714,7 @@ spdk_nvme_ns_cmd_write_zeroes(struct spdk_nvme_ns *ns, struct spdk_nvme_qpair *q
 	struct spdk_nvme_cmd	*cmd;
 	uint64_t		*tmp_lba;
 
-	if (lba_count == 0) {
+	if (lba_count == 0 || lba_count > UINT16_MAX + 1) {
 		return -EINVAL;
 	}