diff options
| author | peter chang <[email protected]> | 2017-02-15 14:11:54 -0800 |
|---|---|---|
| committer | Martin K. Petersen <[email protected]> | 2017-03-16 19:46:33 -0400 |
| commit | bf33f87dd04c371ea33feb821b60d63d754e3124 (patch) | |
| tree | 4207379ccff4dd625ff04a3cbc44fddfe819fac9 | |
| parent | 645b8ef5943f95b74240568105ce2be21c6640b4 (diff) | |
scsi: sg: check length passed to SG_NEXT_CMD_LEN
The user can control the size of the next command passed along, but the
value passed to the ioctl isn't checked against the usable max command
size.
Cc: <[email protected]>
Signed-off-by: Peter Chang <[email protected]>
Acked-by: Douglas Gilbert <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
| -rw-r--r-- | drivers/scsi/sg.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index e831e01f9fa6..849ff8104be2 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -996,6 +996,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) result = get_user(val, ip); if (result) return result; + if (val > SG_MAX_CDB_SIZE) + return -ENOMEM; sfp->next_cmd_len = (val > 0) ? val : 0; return 0; case SG_GET_VERSION_NUM: |