The "d" variable is a void pointer so sizeof(*d) is 1. It was supposed
to be sizeof(*data) which is 16.
The "data_size" is the data required to hold the data struct plus
"hash_len" which is the length of the variable array at the end of the
data struct. Plus the "ctrl->dh_keysize" which is the extra space after
the end of the data struct. The "al" variable is actual length of the
buffer.
This mistake means that we will not zero the last 15 bytes. We likely
copy data over these bytes so it may not be an issue. The main problem
is that the check "if (al < data_size)" which ensures that we have
allocated enough data is incorrect, potentially leading to memory
corruption.
Cc: stable@xxxxxxxxxxxxxxx
Fixes: db1312dd9548 ("nvmet: implement basic In-Band Authentication")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
I thought about changing the caller to use kzalloc() instead of kmalloc()
to get rid of the memset(). But we need to calculate data_size anyway
so moving the memset() doesn't really add very much.
drivers/nvme/target/fabrics-cmd-auth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/fabrics-cmd-auth.c
index 3f2857c17d95..aad113e17072 100644
--- a/drivers/nvme/target/fabrics-cmd-auth.c
+++ b/drivers/nvme/target/fabrics-cmd-auth.c
@@ -356,7 +356,7 @@ static int nvmet_auth_challenge(struct nvmet_req *req, void *d, int al)
struct nvmet_ctrl *ctrl = req->sq->ctrl;
int ret = 0;
int hash_len = nvme_auth_hmac_hash_len(ctrl->shash_id);
- int data_size = sizeof(*d) + hash_len;
+ int data_size = sizeof(*data) + hash_len;
if (ctrl->dh_tfm)
data_size += ctrl->dh_keysize;
--
2.45.2
