mi: verify length of data before reading header

igaw · igaw · commit b1e49afdcc1e · 2026-03-10T08:43:23.000+01:00
The total length could be shorter than then the header. Thus check
first the message length.

Running test mi_aem_ep_based_failure_conditions...==3181== Conditional jump or move depends on uninitialised value(s)
==3181==    at 0x486E7D7: validate_enabled_list (mi.c:1445)
==3181==    by 0x486E7D7: nvme_mi_aem_get_enabled (mi.c:1730)
==3181==    by 0x486E8F3: aem_disable_enabled (mi.c:1605)
==3181==    by 0x486EB3A: nvme_mi_aem_enable (mi.c:1667)
==3181==    by 0x401621: test_mi_aem_ep_based_failure_helper (mi-mctp.c:1187)
==3181==    by 0x401688: test_mi_aem_ep_based_failure_conditions (mi-mctp.c:1204)
==3181==    by 0x400FF2: run_test (mi-mctp.c:1448)
==3181==    by 0x400FF2: main (mi-mctp.c:1472)

Signed-off-by: Daniel Wagner &lt;wagi@kernel.org&gt;
diff --git a/libnvme/src/nvme/mi.c b/libnvme/src/nvme/mi.c
@@ -1440,6 +1440,8 @@ void nvme_mi_aem_aeolli_set_aeoltl(struct nvme_mi_aem_occ_list_hdr *hdr, __u32 a
 
 static int validate_enabled_list(struct nvme_mi_aem_supported_list *list, size_t len)
 {
+	if (len < sizeof(struct nvme_mi_aem_supported_list))
+		return -EPROTO;
 	if (list->hdr.aeslver != 0)
 		return -EPROTO;
 	if (list->hdr.aeslhl != sizeof(struct nvme_mi_aem_supported_list))

Original file line number	Diff line number	Diff line change
`@@ -1440,6 +1440,8 @@ void nvme_mi_aem_aeolli_set_aeoltl(struct nvme_mi_aem_occ_list_hdr *hdr, __u32 a`
`1440`	`1440`
`1441`	`1441`	`static int validate_enabled_list(struct nvme_mi_aem_supported_list *list, size_t len)`
`1442`	`1442`	`{`
	`1443`	`+ if (len < sizeof(struct nvme_mi_aem_supported_list))`
	`1444`	`+ return -EPROTO;`
`1443`	`1445`	`if (list->hdr.aeslver != 0)`
`1444`	`1446`	`return -EPROTO;`
`1445`	`1447`	`if (list->hdr.aeslhl != sizeof(struct nvme_mi_aem_supported_list))`