summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKlaus Jensen <k.jensen@samsung.com>2021-04-07 07:16:14 +0200
committerKlaus Jensen <k.jensen@samsung.com>2021-04-07 10:48:33 +0200
commit7645f21f409b67eb9aad9feef6283c2e186e3703 (patch)
tree4871d95b8ae7311e676001a74bb8f55abe1bf688
parentec20329748d02728b823443436fe26eadb04f8cc (diff)
downloadqemu-7645f21f409b67eb9aad9feef6283c2e186e3703.zip
hw/block/nvme: fix out-of-bounds read in nvme_subsys_ctrl
nvme_subsys_ctrl() is used in contexts where the given controller identifier is from an untrusted source. Like its friends nvme_ns() and nvme_subsys_ns(), nvme_subsys_ctrl() should just return NULL if an invalid identifier is given. Fixes: 645ce1a70cb6 ("hw/block/nvme: support namespace attachment command") Cc: Minwoo Im <minwoo.im.dev@gmail.com> Signed-off-by: Klaus Jensen <k.jensen@samsung.com> Reviewed-by: Minwoo Im <minwoo.im.dev@gmail.com>
-rw-r--r--hw/block/nvme-subsys.h2
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/block/nvme-subsys.h b/hw/block/nvme-subsys.h
index 1cbcad9be2..7d7ef5f7f1 100644
--- a/hw/block/nvme-subsys.h
+++ b/hw/block/nvme-subsys.h
@@ -36,7 +36,7 @@ int nvme_subsys_register_ctrl(NvmeCtrl *n, Error **errp);
static inline NvmeCtrl *nvme_subsys_ctrl(NvmeSubsystem *subsys,
uint32_t cntlid)
{
- if (!subsys) {
+ if (!subsys || cntlid >= NVME_SUBSYS_MAX_CTRLS) {
return NULL;
}