scsi: sg: check length passed to SG_NEXT_CMD_LEN

The user can control the size of the next command passed along, but the value passed to the ioctl isn't checked against the usable max command size. Cc: <stable@vger.kernel.org> Signed-off-by: Peter Chang <dpf@google.com> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
mariux64 · Mar 16, 2017 · bf33f87 · bf33f87
1 parent 645b8ef
commit bf33f87
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
@@ -996,6 +996,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
 		result = get_user(val, ip);
 		if (result)
 			return result;
+		if (val > SG_MAX_CDB_SIZE)
+			return -ENOMEM;
 		sfp->next_cmd_len = (val > 0) ? val : 0;
 		return 0;
 	case SG_GET_VERSION_NUM: