In the Linux kernel, the following vulnerability has been resolved:
nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length
If the host sends an H2CData command with an invalid DATAL, the kernel may crash in nvmettcpbuildpduiovec().
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 lr : nvmettcpiowork+0x6ac/0x718 [nvmettcp] Call trace: processonework+0x174/0x3c8 worker_thread+0x2d0/0x3e8 kthread+0x104/0x110
Fix the bug by raising a fatal error if DATAL isn't coherent with the packet size. Also, the PDU length should never exceed the MAXH2CDATA parameter which has been communicated to the host in nvmettcphandle_icreq().