From f0ca01e1022aa94a366a1cddca0ff7ebd752f3cc Mon Sep 17 00:00:00 2001
From: Seth Howell <seth.howell@intel.com>
Date: Tue, 28 Jan 2020 08:56:00 -0700
Subject: [PATCH] lib/nvmf: properly validate fuse command fields.

The fuse command value is a two byte value, but we were only checking to
see if the fuse value was equal to SPDK_NVME_CMD_FUSE_FIRST or
SPDK_NVME_CMD_FUSE_SECOND in spdk_nvmf_ctrlr_process_io_fused_cmd. If a
haywire initiator sent a command with a fused value equal to
SPDK_NVME_CMD_FUSE_MASK, that would result in us skipping all checks and
dereferencing a null pointer in
spdk_nvmf_bdev_ctrlr_compare_and_write_cmd.

To fix this, add an extra condition to validate the cuse field.

Change-Id: I1ec4169ff5637562effd694f7046c6e3389627f1
Signed-off-by: Seth Howell <seth.howell@intel.com>
Reviewed-on: https://review.gerrithub.io/c/spdk/spdk/+/483123
Reviewed-by: Ben Walker <benjamin.walker@intel.com>
Reviewed-by: Shuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com>
Reviewed-by: Alexey Marchuk <alexeymar@mellanox.com>
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Community-CI: Broadcom SPDK FC-NVMe CI <spdk-ci.pdl@broadcom.com>
---
 lib/nvmf/ctrlr.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/nvmf/ctrlr.c b/lib/nvmf/ctrlr.c
index 08c64cfe7..a1bf39b9c 100644
--- a/lib/nvmf/ctrlr.c
+++ b/lib/nvmf/ctrlr.c
@@ -2496,6 +2496,11 @@ spdk_nvmf_ctrlr_process_io_fused_cmd(struct spdk_nvmf_request *req, struct spdk_
 		/* save request of first command to generate response later */
 		req->first_fused_req = first_fused_req;
 		req->qpair->first_fused_req = NULL;
+	} else {
+		SPDK_ERRLOG("Invalid fused command fuse field.\n");
+		rsp->status.sct = SPDK_NVME_SCT_GENERIC;
+		rsp->status.sc = SPDK_NVME_SC_INVALID_FIELD;
+		return SPDK_NVMF_REQUEST_EXEC_STATUS_COMPLETE;
 	}
 
 	rc = spdk_nvmf_bdev_ctrlr_compare_and_write_cmd(bdev, desc, ch, req->first_fused_req, req);