Re: [PATCH] nvmet-auth: validate reply message payload bounds against transfer length

Next message: Alexander Gordeev: "Re: [PATCH v5 1/7] s390/percpu: Infrastructure for more efficient this_cpu operations"
Previous message: David Hildenbrand (Arm): "Re: [PATCH v2 2/3] mm: move folio LRU code out of swap"
In reply to: Tianchu Chen: "Re: [PATCH] nvmet-auth: validate reply message payload bounds against transfer length"
Next in thread: Keith Busch: "Re: [PATCH] nvmet-auth: validate reply message payload bounds against transfer length"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Christoph Hellwig

Date: Mon Jun 01 2026 - 10:54:44 EST

On Mon, Jun 01, 2026 at 08:58:18AM +0000, Tianchu Chen wrote:
> I think the current patch doesn't actually allows overflow.
>
> hl is a __u8 and dhvlen is a __le16. So the maximum value of
> sizeof(*data) + 2 * (size_t)data->hl + dhvlen
> is 66061, which is far below SIZE_MAX. It can't wrap.

True.

>
> About rewritting using struct_size: we still need to check
> tl >= struct_size(data, rval, 0) first,

Yes, or the existing sizeof.

> which is exactly the same
> as just using sizeof(*data) in current patch. Because we have to
> confirm the header is fully present before we can even read
> hl / dhvlen, which are the values that determine the minimum
> required rval[] length.
>
> So I believe the current patch already achieves the intended
> goal of validating the payload against the buffer size,
> using struct_size won't change the behavior.

I find untangling magic numbers a bit hard. Now unlike more
conventional cases we're stuck with some of them, but trying
to make the expression as self-describing as possible would
still be nice.

> That said, I'm happy to send a v2 that uses struct_size(data, rval, 0)

For the anchor that's not all that useful.

Anyway, let's keep the original version for now. I noticed there
is more of that 2 * magic in surrounding code, so we'll need to
address that separately instead of burdening it on you.