Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bf33f87d authored by peter chang's avatar peter chang Committed by Martin K. Petersen
Browse files

scsi: sg: check length passed to SG_NEXT_CMD_LEN 



The user can control the size of the next command passed along, but the
value passed to the ioctl isn't checked against the usable max command
size.

Cc: <stable@vger.kernel.org>
Signed-off-by: default avatarPeter Chang <dpf@google.com>
Acked-by: default avatarDouglas Gilbert <dgilbert@interlog.com>
Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
parent 645b8ef5

drivers/scsi/sg.c

+2 −0
Original line number Diff line number Diff line
@@ -996,6 +996,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) 
		result = get_user(val, ip);

		if (result)

			return result;

		if (val > SG_MAX_CDB_SIZE)

			return -ENOMEM;

		sfp->next_cmd_len = (val > 0) ? val : 0;

		return 0;

	case SG_GET_VERSION_NUM: