scsi: sg: check length passed to SG_NEXT_CMD_LEN

commit bf33f87dd04c371ea33feb821b60d63d754e3124 upstream. The user can control the size of the next command passed along, but the value passed to the ioctl isn't checked against the usable max command size. Signed-off-by: Peter Chang <dpf@google.com> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: peter chang <dpf@google.com> 2017-02-15 14:11:54 -0800
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-04-08 09:53:31 +0200
commit: a92f411914cad6532e82e4607bc4075a5ffaa366 (patch)
tree: d03c7b5937fc156757efe22d17be2f06a2475281
parent: 18639c4bad72218954e728e9ca65c33b13ba673a (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index dedcff9cabb5..6514636431ab 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1008,6 +1008,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
 		result = get_user(val, ip);
 		if (result)
 			return result;
+		if (val > SG_MAX_CDB_SIZE)
+			return -ENOMEM;
 		sfp->next_cmd_len = (val > 0) ? val : 0;
 		return 0;
 	case SG_GET_VERSION_NUM:
author	peter chang <dpf@google.com>	2017-02-15 14:11:54 -0800
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-04-08 09:53:31 +0200
commit	a92f411914cad6532e82e4607bc4075a5ffaa366 (patch)
tree	d03c7b5937fc156757efe22d17be2f06a2475281
parent	18639c4bad72218954e728e9ca65c33b13ba673a (diff)