Re: [PATCH] nvmet-auth: validate reply message payload bounds against transfer length

Next message: Miklos Szeredi: "Re: PROBLEM: FUSE_NOTIFY_INVAL_ENTRY leaves stale negative dentry after c9ba789dad15"
Previous message: Jani Nikula: "Re: [PATCH v2] drm/i915/edp: Check supported link rates DPCD read"
In reply to: Christoph Hellwig: "Re: [PATCH] nvmet-auth: validate reply message payload bounds against transfer length"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Keith Busch

Date: Wed Jun 03 2026 - 05:43:13 EST

On Fri, May 29, 2026 at 02:18:39PM +0000, Tianchu Chen wrote:
> From: Tianchu Chen <flynnnchen@xxxxxxxxxxx>
>
> nvmet_auth_reply() accesses the variable-length rval[] array using
> attacker-controlled hl (hash length) and dhvlen (DH value length) fields
> without verifying they fit within the allocated buffer of tl bytes.

Thanks, applied to nvme-7.2.