scsi: sg: check length passed to SG_NEXT_CMD_LEN

The user can control the size of the next command passed along, but the value passed to the ioctl isn't checked against the usable max command size. Change-Id: I9e8eb8ca058c0103a22f5d99d77919432893aa4c Cc: <stable@vger.kernel.org> Signed-off-by: Peter Chang <dpf@google.com> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
author: peter chang <dpf@google.com> 2017-02-15 14:11:54 -0800
committer: Mister Oyster <oysterized@gmail.com> 2017-04-13 12:35:29 +0200
commit: 4a95d8a8c79ca1addcd181ebfa83c1b7580aaa86 (patch)
tree: 52740bf3ef6fca8f8e43a55e2953c6543b29c082 /drivers
parent: 745df73fa483f84a4f2b93bbe166ce9a39aa0003 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 9b849b7db..b66ae80b0 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -985,6 +985,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
 		result = get_user(val, ip);
 		if (result)
 			return result;
+		if (val > SG_MAX_CDB_SIZE)
+			return -ENOMEM;
 		sfp->next_cmd_len = (val > 0) ? val : 0;
 		return 0;
 	case SG_GET_VERSION_NUM:
author	peter chang <dpf@google.com>	2017-02-15 14:11:54 -0800
committer	Mister Oyster <oysterized@gmail.com>	2017-04-13 12:35:29 +0200
commit	4a95d8a8c79ca1addcd181ebfa83c1b7580aaa86 (patch)
tree	52740bf3ef6fca8f8e43a55e2953c6543b29c082 /drivers
parent	745df73fa483f84a4f2b93bbe166ce9a39aa0003 (diff)