[SCSI] hpsa: defend against zero sized buffers in passthru ioctls

		buff = kmalloc(iocommand.buf_size, GFP_KERNEL);

		if (buff == NULL)

			return -EFAULT;

	}

		if (iocommand.Request.Type.Direction == XFER_WRITE) {

			/* Copy the data into the buffer we created */

		if (copy_from_user(buff, iocommand.buf, iocommand.buf_size)) {

			if (copy_from_user(buff, iocommand.buf,

				iocommand.buf_size)) {

				kfree(buff);

				return -EFAULT;

			}

	} else

		} else {

			memset(buff, 0, iocommand.buf_size);

		}

	}

	c = cmd_special_alloc(h);

	if (c == NULL) {

		kfree(buff);

		cmd_special_free(h, c);

		return -EFAULT;

	}

	if (iocommand.Request.Type.Direction == XFER_READ) {

	if (iocommand.Request.Type.Direction == XFER_READ &&

		iocommand.buf_size > 0) {

		/* Copy the data out of the buffer we created */

		if (copy_to_user(iocommand.buf, buff, iocommand.buf_size)) {

			kfree(buff);

	}

	c->cmd_type = CMD_IOCTL_PEND;

	c->Header.ReplyQueue = 0;

	if (ioc->buf_size > 0) {

		c->Header.SGList = sg_used;

		c->Header.SGTotal = sg_used;

	} else {

		c->Header.SGList = 0;

		c->Header.SGTotal = 0;

	}

	c->Header.SGList = c->Header.SGTotal = sg_used;

	memcpy(&c->Header.LUN, &ioc->LUN_info, sizeof(c->Header.LUN));

	c->Header.Tag.lower = c->busaddr;

	memcpy(&c->Request, &ioc->Request, sizeof(c->Request));

		}

	}

	hpsa_scsi_do_simple_cmd_core(h, c);

	if (sg_used)

		hpsa_pci_unmap(h->pdev, c, sg_used, PCI_DMA_BIDIRECTIONAL);

	check_ioctl_unit_attention(h, c);

	/* Copy the error information out */

		status = -EFAULT;

		goto cleanup1;

	}

	if (ioc->Request.Type.Direction == XFER_READ) {

	if (ioc->Request.Type.Direction == XFER_READ && ioc->buf_size > 0) {

		/* Copy the data out of the buffer we created */

		BYTE __user *ptr = ioc->buf;

		for (i = 0; i < sg_used; i++) {