From: Maurizio Lombardi <mlombard@redhat.com>
Date: Mon, 8 May 2023 15:47:00 +0000 (+0200)
Subject: fabrics: fix potential invalid memory access in __nvmf_supported_option()
X-Git-Tag: v1.5~31
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=f7ba8bf447d44ac6b58fa0e41e58967754881897;p=users%2Fsagi%2Flibnvme.git

fabrics: fix potential invalid memory access in __nvmf_supported_option()

In __nvmf_supported_option(), len is declared as size_t (unsigned)

"len = read()" may return a negative number;
the check "if (len < 0)" will always be false and therefore
"buf[len]" will dereference an invalid memory address.

len should be declared as a signed size_t (ssize_t)

Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
---

diff --git a/src/nvme/fabrics.c b/src/nvme/fabrics.c
index f9c26fe0..cb2dd0d2 100644
--- a/src/nvme/fabrics.c
+++ b/src/nvme/fabrics.c
@@ -625,7 +625,7 @@ static  int __nvmf_supported_options(nvme_root_t r)
 {
 	char buf[0x1000], *options, *p, *v;
 	int fd, ret;
-	size_t len;
+	ssize_t len;
 
 	if (r->options)
 		return 0;