scsi: sg: check length passed to SG_NEXT_CMD_LEN

commit bf33f87dd04c371ea33feb821b60d63d754e3124 upstream. The user can control the size of the next command passed along, but the value passed to the ioctl isn't checked against the usable max command size. Signed-off-by: Peter Chang <dpf@google.com> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: peter chang <dpf@google.com> 2017-02-15 14:11:54 -0800
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-04-08 09:30:32 +0200
commit: c2a869527865c35b605877f966cb5d514fdc5fbb (patch)
tree: 490c7d5084ff144e0c54653af7acddc07ab07a3b
parent: d5dbd1c9592062ef170fb895f7aa483f781e63f6 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 121de0aaa6ad..f753df25ba34 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -998,6 +998,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
 		result = get_user(val, ip);
 		if (result)
 			return result;
+		if (val > SG_MAX_CDB_SIZE)
+			return -ENOMEM;
 		sfp->next_cmd_len = (val > 0) ? val : 0;
 		return 0;
 	case SG_GET_VERSION_NUM:
author	peter chang <dpf@google.com>	2017-02-15 14:11:54 -0800
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-04-08 09:30:32 +0200
commit	c2a869527865c35b605877f966cb5d514fdc5fbb (patch)
tree	490c7d5084ff144e0c54653af7acddc07ab07a3b
parent	d5dbd1c9592062ef170fb895f7aa483f781e63f6 (diff)