[CVE-2023-6121] nvmet: nul-terminate the NQNs passed in the connect command [ Upstream commit 1c22e0295a5eb571c27b53c7371f95699ef705ff ] The host and subsystem NQNs are passed in the connect command payload and interpreted as nul-terminated strings. Ensure they actually are nul-terminated before using them. Fixes: a07b4970f464 "nvmet: add a generic NVMe target") Reported-by: Alon Zahavi <[email protected]> Reviewed-by: Chaitanya Kulkarni <[email protected]> Signed-off-by: Christoph Hellwig <[email protected]> Signed-off-by: Keith Busch <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

commit: 57cf7f3b7f73c72123f7d29591297758f645727d [log] [tgz]
author: Christoph Hellwig <[email protected]> Fri Nov 17 13:13:36 2023
committer: Austin Zhang <[email protected]> Thu Dec 28 22:22:33 2023
tree: 8f44d8bf74811e959955ce9c5479867cf4a6123f
parent: 59f7dd3e4335b96e1219b82422ff72321d5a0d70 [diff]
diff --git a/drivers/nvme/target/fabrics-cmd.c b/drivers/nvme/target/fabrics-cmd.c
index 43b5bd8..d8da840 100644
--- a/drivers/nvme/target/fabrics-cmd.c
+++ b/drivers/nvme/target/fabrics-cmd.c

@@ -244,6 +244,8 @@ static void nvmet_execute_admin_connect(struct nvmet_req *req)
 		goto out;
 	}
 
+	d->subsysnqn[NVMF_NQN_FIELD_LEN - 1] = '\0';
+	d->hostnqn[NVMF_NQN_FIELD_LEN - 1] = '\0';
 	status = nvmet_alloc_ctrl(d->subsysnqn, d->hostnqn, req,
 				  le32_to_cpu(c->kato), &ctrl);
 	if (status)
@@ -313,6 +315,8 @@ static void nvmet_execute_io_connect(struct nvmet_req *req)
 		goto out;
 	}
 
+	d->subsysnqn[NVMF_NQN_FIELD_LEN - 1] = '\0';
+	d->hostnqn[NVMF_NQN_FIELD_LEN - 1] = '\0';
 	ctrl = nvmet_ctrl_find_get(d->subsysnqn, d->hostnqn,
 				   le16_to_cpu(d->cntlid), req);
 	if (!ctrl) {
commit	57cf7f3b7f73c72123f7d29591297758f645727d	[log] [tgz]
author	Christoph Hellwig <[email protected]>	Fri Nov 17 13:13:36 2023
committer	Austin Zhang <[email protected]>	Thu Dec 28 22:22:33 2023
tree	8f44d8bf74811e959955ce9c5479867cf4a6123f
parent	59f7dd3e4335b96e1219b82422ff72321d5a0d70 [diff]