diff options
author | peter chang <dpf@google.com> | 2017-02-15 14:11:54 -0800 |
---|---|---|
committer | Martin K. Petersen <martin.petersen@oracle.com> | 2017-03-16 19:46:33 -0400 |
commit | bf33f87dd04c371ea33feb821b60d63d754e3124 (patch) | |
tree | 4207379ccff4dd625ff04a3cbc44fddfe819fac9 | |
parent | 645b8ef5943f95b74240568105ce2be21c6640b4 (diff) | |
download | linux-bf33f87dd04c371ea33feb821b60d63d754e3124.tar.gz |
scsi: sg: check length passed to SG_NEXT_CMD_LEN
The user can control the size of the next command passed along, but the
value passed to the ioctl isn't checked against the usable max command
size.
Cc: <stable@vger.kernel.org>
Signed-off-by: Peter Chang <dpf@google.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-rw-r--r-- | drivers/scsi/sg.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index e831e01..849ff810 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -996,6 +996,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) result = get_user(val, ip); if (result) return result; + if (val > SG_MAX_CDB_SIZE) + return -ENOMEM; sfp->next_cmd_len = (val > 0) ? val : 0; return 0; case SG_GET_VERSION_NUM: |