mi: be pedantic with message sizes and offsets

Check that we have enough data for a base header, and that the lengths
are properly aligned, for both request and response messages.

For the raw admin API, ensure we have correct data lengths and offsets.

Add some tests to suit, using the raw admin API

Signed-off-by: Jeremy Kerr <[email protected]>

Author: jk-ozlabs

src/nvme/mi.c

@@ -157,6 +157,24 @@ int nvme_mi_submit(nvme_mi_ep_t ep, struct nvme_mi_req *req,
 {
 	int rc;
 
+	if (req->hdr_len < sizeof(struct nvme_mi_msg_hdr))
+		return -EINVAL;
+
+	if (req->hdr_len & 0x3)
+		return -EINVAL;
+
+	if (req->data_len & 0x3)
+		return -EINVAL;
+
+	if (resp->hdr_len < sizeof(struct nvme_mi_msg_hdr))
+		return -EINVAL;
+
+	if (resp->hdr_len & 0x3)
+		return -EINVAL;
+
+	if (resp->data_len & 0x3)
+		return -EINVAL;
+
 	if (ep->transport->mic_enabled)
 		nvme_mi_calc_req_mic(req);
 
@@ -213,11 +231,30 @@ int nvme_mi_admin_xfer(nvme_mi_ctrl_t ctrl,
 	struct nvme_mi_req req;
 	int rc;
 
-	if (*resp_data_size > 0xffffffff)
+	/* length/offset checks. The common _submit() API will do further
+	 * checking on the message lengths too, so these are kept specific
+	 * to the requirements of the Admin command set
+	 */
+
+	/* NVMe-MI v1.2 imposes a limit of 4096 bytes on the dlen field */
+	if (*resp_data_size > 4096)
 		return -EINVAL;
+
+	/* we only have 32 bits of offset */
 	if (resp_data_offset > 0xffffffff)
 		return -EINVAL;
 
+	/* must be aligned */
+	if (resp_data_offset & 0x3)
+		return -EINVAL;
+
+	/* bidirectional not permitted (see DLEN definition) */
+	if (req_data_size && *resp_data_size)
+		return -EINVAL;
+
+	if (!*resp_data_size && resp_data_offset)
+		return -EINVAL;
+
 	admin_req->hdr.type = NVME_MI_MSGTYPE_NVME;
 	admin_req->hdr.nmp = (NVME_MI_ROR_REQ << 7) |
 				(NVME_MI_MT_ADMIN << 3);

test/mi.c

@@ -495,6 +495,66 @@ static void test_admin_err_resp(nvme_mi_ep_t ep)
 	assert(rc != 0);
 }
 
+/* invalid Admin command transfers */
+static int test_admin_invalid_formats_cb(struct nvme_mi_ep *ep,
+					 struct nvme_mi_req *req,
+					 struct nvme_mi_resp *resp,
+					 void *data)
+{
+	/* none of the tests should result in message transfer */
+	assert(0);
+	return -1;
+}
+
+static void test_admin_invalid_formats(nvme_mi_ep_t ep)
+{
+	struct nvme_mi_admin_resp_hdr resp = { 0 };
+	struct nvme_mi_admin_req_hdr req = { 0 };
+	nvme_mi_ctrl_t ctrl;
+	size_t len;
+	int rc;
+
+	test_set_transport_callback(ep, test_admin_invalid_formats_cb, NULL);
+
+	ctrl = nvme_mi_init_ctrl(ep, 1);
+	assert(ctrl);
+
+	/* unaligned req size */
+	len = 0;
+	rc = nvme_mi_admin_xfer(ctrl, &req, 1, &resp, 0, &len);
+	assert(rc != 0);
+
+	/* unaligned resp size */
+	len = 1;
+	rc = nvme_mi_admin_xfer(ctrl, &req, 0, &resp, 0, &len);
+	assert(rc != 0);
+
+	/* unaligned resp offset */
+	len = 4;
+	rc = nvme_mi_admin_xfer(ctrl, &req, 0, &resp, 1, &len);
+	assert(rc != 0);
+
+	/* resp too large */
+	len = 4096 + 4;
+	rc = nvme_mi_admin_xfer(ctrl, &req, 0, &resp, 0, &len);
+	assert(rc != 0);
+
+	/* resp offset too large */
+	len = 4;
+	rc = nvme_mi_admin_xfer(ctrl, &req, 0, &resp, (off_t)1 << 32, &len);
+	assert(rc != 0);
+
+	/* resp offset with no len */
+	len = 0;
+	rc = nvme_mi_admin_xfer(ctrl, &req, 0, &resp, 4, &len);
+	assert(rc != 0);
+
+	/* req and resp payloads */
+	len = 4;
+	rc = nvme_mi_admin_xfer(ctrl, &req, 4, &resp, 0, &len);
+	assert(rc != 0);
+}
+
 #define DEFINE_TEST(name) { #name, test_ ## name }
 struct test {
 	const char *name;
@@ -509,6 +569,7 @@ struct test {
 	DEFINE_TEST(invalid_crc),
 	DEFINE_TEST(admin_id),
 	DEFINE_TEST(admin_err_resp),
+	DEFINE_TEST(admin_invalid_formats),
 };
 
 static void run_test(struct test *test, FILE *logfd, nvme_mi_ep_t ep)