diff options
author | Klaus Jensen <k.jensen@samsung.com> | 2021-04-07 07:16:14 +0200 |
---|---|---|
committer | Klaus Jensen <k.jensen@samsung.com> | 2021-04-07 10:48:33 +0200 |
commit | 7645f21f409b67eb9aad9feef6283c2e186e3703 (patch) | |
tree | 4871d95b8ae7311e676001a74bb8f55abe1bf688 | |
parent | ec20329748d02728b823443436fe26eadb04f8cc (diff) | |
download | qemu-7645f21f409b67eb9aad9feef6283c2e186e3703.zip |
hw/block/nvme: fix out-of-bounds read in nvme_subsys_ctrl
nvme_subsys_ctrl() is used in contexts where the given controller
identifier is from an untrusted source. Like its friends nvme_ns() and
nvme_subsys_ns(), nvme_subsys_ctrl() should just return NULL if an
invalid identifier is given.
Fixes: 645ce1a70cb6 ("hw/block/nvme: support namespace attachment command")
Cc: Minwoo Im <minwoo.im.dev@gmail.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Minwoo Im <minwoo.im.dev@gmail.com>
-rw-r--r-- | hw/block/nvme-subsys.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/block/nvme-subsys.h b/hw/block/nvme-subsys.h index 1cbcad9be2..7d7ef5f7f1 100644 --- a/hw/block/nvme-subsys.h +++ b/hw/block/nvme-subsys.h @@ -36,7 +36,7 @@ int nvme_subsys_register_ctrl(NvmeCtrl *n, Error **errp); static inline NvmeCtrl *nvme_subsys_ctrl(NvmeSubsystem *subsys, uint32_t cntlid) { - if (!subsys) { + if (!subsys || cntlid >= NVME_SUBSYS_MAX_CTRLS) { return NULL; } |