mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
30 lines
953 B
Diff
30 lines
953 B
Diff
From 0bf5dc993cf6be1b1dd716fb05c1fa84623093e5 Mon Sep 17 00:00:00 2001
|
|
From: peter chang <dpf@google.com>
|
|
Date: Wed, 15 Feb 2017 14:11:54 -0800
|
|
Subject: [PATCH] scsi: sg: check length passed to SG_NEXT_CMD_LEN
|
|
|
|
The user can control the size of the next command passed along, but the
|
|
value passed to the ioctl isn't checked against the usable max command
|
|
size.
|
|
|
|
Change-Id: I9e8eb8ca058c0103a22f5d99d77919432893aa4c
|
|
Cc: <stable@vger.kernel.org>
|
|
Signed-off-by: Peter Chang <dpf@google.com>
|
|
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
|
|
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
|
|
---
|
|
|
|
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
|
|
index 96d635e..4a6b13b 100644
|
|
--- a/drivers/scsi/sg.c
|
|
+++ b/drivers/scsi/sg.c
|
|
@@ -978,6 +978,8 @@
|
|
result = get_user(val, ip);
|
|
if (result)
|
|
return result;
|
|
+ if (val > SG_MAX_CDB_SIZE)
|
|
+ return -ENOMEM;
|
|
sfp->next_cmd_len = (val > 0) ? val : 0;
|
|
return 0;
|
|
case SG_GET_VERSION_NUM:
|