summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorpeter chang <dpf@google.com>2017-02-15 23:11:54 +0100
committerMartin K. Petersen <martin.petersen@oracle.com>2017-03-17 00:46:33 +0100
commitbf33f87dd04c371ea33feb821b60d63d754e3124 (patch)
tree4207379ccff4dd625ff04a3cbc44fddfe819fac9
parentscsi: ufshcd-platform: remove the useless cast in ERR_PTR/IS_ERR (diff)
downloadlinux-bf33f87dd04c371ea33feb821b60d63d754e3124.tar.xz
linux-bf33f87dd04c371ea33feb821b60d63d754e3124.zip
scsi: sg: check length passed to SG_NEXT_CMD_LEN
The user can control the size of the next command passed along, but the value passed to the ioctl isn't checked against the usable max command size. Cc: <stable@vger.kernel.org> Signed-off-by: Peter Chang <dpf@google.com> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-rw-r--r--drivers/scsi/sg.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index e831e01f9fa6..849ff8104be2 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -996,6 +996,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
result = get_user(val, ip);
if (result)
return result;
+ if (val > SG_MAX_CDB_SIZE)
+ return -ENOMEM;
sfp->next_cmd_len = (val > 0) ? val : 0;
return 0;
case SG_GET_VERSION_NUM: