From a64acd100c83c7795b2bdfd8787194aedd3cb212 Mon Sep 17 00:00:00 2001 From: Konrad Sztyber Date: Wed, 7 Dec 2022 11:36:00 +0100 Subject: [PATCH] nvmf: return error on invalid req length for copy commands Both the length of a request and the number of ranges to copy are controlled by the user, so we should check them and return an error instead of asserting that they're correct. This fixes the `test/nvmf/target/fabrics_fuzz.sh` test. Signed-off-by: Konrad Sztyber Change-Id: I3481c4bb1f2c7676df81f41dfc95ef063924222e Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/15805 Reviewed-by: Pawel Piatek Reviewed-by: Tomasz Zawadzki Reviewed-by: Aleksey Marchuk Tested-by: SPDK CI Jenkins Community-CI: Mellanox Build Bot --- lib/nvmf/ctrlr_bdev.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/nvmf/ctrlr_bdev.c b/lib/nvmf/ctrlr_bdev.c index d4938f862..d50e7b401 100644 --- a/lib/nvmf/ctrlr_bdev.c +++ b/lib/nvmf/ctrlr_bdev.c @@ -681,7 +681,13 @@ nvmf_bdev_ctrlr_copy_cmd(struct spdk_bdev *bdev, struct spdk_bdev_desc *desc, cmd->cdw12_bits.copy.prinfow, cmd->cdw12_bits.copy.fua, cmd->cdw12_bits.copy.lr); - assert(req->length == (cmd->cdw12_bits.copy.nr + 1) * sizeof(struct spdk_nvme_scc_source_range)); + + if (spdk_unlikely(req->length != (cmd->cdw12_bits.copy.nr + 1) * + sizeof(struct spdk_nvme_scc_source_range))) { + response->status.sct = SPDK_NVME_SCT_GENERIC; + response->status.sc = SPDK_NVME_SC_DATA_SGL_LENGTH_INVALID; + return SPDK_NVMF_REQUEST_EXEC_STATUS_COMPLETE; + } if (!spdk_bdev_io_type_supported(bdev, SPDK_BDEV_IO_TYPE_COPY)) { SPDK_NOTICELOG("Copy command not supported by bdev\n");