Re: [PATCH v2] nvmet-auth: reject short AUTH_RECEIVE buffers
From: Keith Busch
Date: Wed Jun 10 2026 - 10:58:26 EST
On Tue, Jun 09, 2026 at 02:24:31PM -0400, Michael Bommarito wrote:
> nvmet_execute_auth_receive() trusts the AUTH_RECEIVE allocation length
> after checking only that it is nonzero and matches the transfer length.
> In the SUCCESS1 and FAILURE1/default states, that lets a remote NVMe-oF
> initiator reach the fixed-size DH-HMAC-CHAP response builders with a
> kmalloc() buffer shorter than the response, so nvmet_auth_success1() and
> nvmet_auth_failure1() write past the allocation; both only WARN_ON the
> short length and then format the message anyway.
Thanks, applied to nvme-7.2.