| Message ID | yq1zigmf6vq.fsf@oracle.com (mailing list archive) |
|---|---|
| State | Not Applicable, archived |
| Headers | show |
On 2017-03-15 07:38 PM, Martin K. Petersen wrote: > Peter Chang <dpf@google.com> writes: > >> now that i think i've got gmail not marking everything as spam... > > Doug? The extra sanity check can't hurt. Acked-by: Douglas Gilbert <dgilbert@interlog.com> > >>From 93409c62db49d15105390315a685e54083029bee Mon Sep 17 00:00:00 2001 > From: peter chang <dpf@google.com> > Date: Wed, 15 Feb 2017 14:11:54 -0800 > Subject: [PATCH] [sg] check length passed to SG_NEXT_CMD_LEN > > the user can control the size of the next command passed along, but > the value passed to the ioctl isn't checked against the usable > max command size. > > Change-Id: I9ac2ae07c35cf5fda62d7afad32c8d9ab6a9ea1d > Tested: sanity checked w/ calling the ioctl w/ a bogus size > --- > drivers/scsi/sg.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c > index 9c5c5f2b3962..b47a369cb71c 100644 > --- a/drivers/scsi/sg.c > +++ b/drivers/scsi/sg.c > @@ -976,6 +976,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) > result = get_user(val, ip); > if (result) > return result; > + if (val > SG_MAX_CDB_SIZE) > + return -ENOMEM; > sfp->next_cmd_len = (val > 0) ? val : 0; > return 0; > case SG_GET_VERSION_NUM: >
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index 9c5c5f2b3962..b47a369cb71c 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -976,6 +976,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) result = get_user(val, ip); if (result) return result; + if (val > SG_MAX_CDB_SIZE) + return -ENOMEM; sfp->next_cmd_len = (val > 0) ? val : 0; return 0; case SG_GET_VERSION_NUM: