From 975362d2361ed8eba9d5c2d359540ac65c681824 Mon Sep 17 00:00:00 2001
From: Daniel Verkamp <daniel.verkamp@intel.com>
Date: Tue, 16 Aug 2016 11:14:05 -0700
Subject: [PATCH] nvmf: verify that Connect NQNs are null terminated

The spec requires that NQNs are null terminated and maximum of 223 bytes
long, despite the Connect command fields being larger (256 bytes), so
add checks for both subsystem NQN and host NQN before using them as null
terminated strings.

Change-Id: I343d9e44a09ab4d0f6654feba460b31e976c4e56
Signed-off-by: Daniel Verkamp <daniel.verkamp@intel.com>
---
 lib/nvmf/request.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/lib/nvmf/request.c b/lib/nvmf/request.c
index b359ef872..23de36db1 100644
--- a/lib/nvmf/request.c
+++ b/lib/nvmf/request.c
@@ -184,6 +184,7 @@ nvmf_process_connect(struct spdk_nvmf_request *req)
 	struct spdk_nvmf_fabric_connect_data *data = (struct spdk_nvmf_fabric_connect_data *)
 			req->data;
 	struct spdk_nvmf_fabric_connect_rsp *rsp = &req->rsp->connect_rsp;
+	void *end;
 
 #define INVALID_CONNECT_DATA(field) invalid_connect_response(rsp, 1, offsetof(struct spdk_nvmf_fabric_connect_data, field))
 
@@ -193,6 +194,20 @@ nvmf_process_connect(struct spdk_nvmf_request *req)
 		return SPDK_NVMF_REQUEST_EXEC_STATUS_COMPLETE;
 	}
 
+	/* Ensure that subnqn and hostnqn are null terminated */
+	end = memchr(data->subnqn, '\0', SPDK_NVMF_NQN_MAX_LEN);
+	if (!end) {
+		SPDK_ERRLOG("Connect SUBNQN is not null terminated\n");
+		INVALID_CONNECT_DATA(subnqn);
+		return SPDK_NVMF_REQUEST_EXEC_STATUS_COMPLETE;
+	}
+
+	end = memchr(data->hostnqn, '\0', SPDK_NVMF_NQN_MAX_LEN);
+	if (!end) {
+		SPDK_ERRLOG("Connect HOSTNQN is not null terminated\n");
+		INVALID_CONNECT_DATA(hostnqn);
+		return SPDK_NVMF_REQUEST_EXEC_STATUS_COMPLETE;
+	}
 	/* Look up the requested subsystem */
 	subsystem = nvmf_find_subsystem(data->subnqn, data->hostnqn);
 	if (subsystem == NULL) {