Re: [PATCH v2] nvmet-auth: validate negotiate payload length(BUG: KASAN: slab-out-of-bounds)

Next message: Ackerley Tng: "[PATCH RFC v3 15/43] KVM: selftests: Add support for mmap() on guest_memfd in core library"
Previous message: Ackerley Tng: "[PATCH RFC v3 03/43] KVM: Enumerate support for PRIVATE memory iff kvm_arch_has_private_mem is defined"
In reply to: yunje shin: "Re: [PATCH v2] nvmet-auth: validate negotiate payload length(BUG: KASAN: slab-out-of-bounds)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: yunje shin

Date: Fri Mar 13 2026 - 02:16:26 EST

On Wed, Mar 11, 2026 at 5:47 AM Chris Leech <cleech@xxxxxxxxxx> wrote:
> Maybe this could have been struct_size(neg, auth_protocol, neg->napd)?
> But the target code also enforces napd == 1, so it ends up being the same.
>
> Reviewed-by: Chris Leech <cleech@xxxxxxxxxx>

I hardcoded 1 rather than using neg->napd since napd comes from the
wire — if a malicious
host sends napd=0, struct_size() would only require the 8-byte header,
and the subsequent
access to auth_protocol[0] in nvmet_auth_negotiate() would still be
out of bounds. Since
the target enforces napd == 1 anyway, the end result is the same as you noted.

Thanks
Yunje Shin