From be59f5d5138db9552787da78dd824aa3942394b6 Mon Sep 17 00:00:00 2001
From: Sebastian Brzezinka <sebastian.brzezinka@intel.com>
Date: Tue, 20 Dec 2022 12:46:16 +0100
Subject: [PATCH] nvmf/vfio_user: add numdw to avoide signed integer overflow

This patch fix issue: #2835

Signed-off-by: Sebastian Brzezinka <sebastian.brzezinka@intel.com>
Change-Id: Ide49314c39a17e1da78303e59dde5855a0ee38a0
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/16029
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Community-CI: Mellanox Build Bot
Reviewed-by: Changpeng Liu <changpeng.liu@intel.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>
---
 lib/nvmf/vfio_user.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lib/nvmf/vfio_user.c b/lib/nvmf/vfio_user.c
index 6630bc28e..d95ae6660 100644
--- a/lib/nvmf/vfio_user.c
+++ b/lib/nvmf/vfio_user.c
@@ -5350,7 +5350,7 @@ static int
 map_admin_cmd_req(struct nvmf_vfio_user_ctrlr *ctrlr, struct spdk_nvmf_request *req)
 {
 	struct spdk_nvme_cmd *cmd = &req->cmd->nvme_cmd;
-	uint32_t len = 0;
+	uint32_t len = 0, numdw = 0;
 	uint8_t fid;
 	int iovcnt;
 
@@ -5367,7 +5367,11 @@ map_admin_cmd_req(struct nvmf_vfio_user_ctrlr *ctrlr, struct spdk_nvmf_request *
 		len = 4096;
 		break;
 	case SPDK_NVME_OPC_GET_LOG_PAGE:
-		len = (((cmd->cdw11_bits.get_log_page.numdu << 16) | cmd->cdw10_bits.get_log_page.numdl) + 1) * 4;
+		numdw = (((cmd->cdw11_bits.get_log_page.numdu << 16) | cmd->cdw10_bits.get_log_page.numdl) + 1);
+		if (numdw > UINT32_MAX / 4) {
+			return -EINVAL;
+		}
+		len = numdw * 4;
 		break;
 	case SPDK_NVME_OPC_GET_FEATURES:
 	case SPDK_NVME_OPC_SET_FEATURES: