Peter Chang <d...@google.com> writes:
> now that i think i've got gmail not marking everything as spam...
Doug?
>From 93409c62db49d15105390315a685e54083029bee Mon Sep 17 00:00:00 2001
From: peter chang <d...@google.com>
Date: Wed, 15 Feb 2017 14:11:54 -0800
Subject: [PATCH] [sg] check length passed to SG_NEXT_CMD_LEN
the user can control the size of the next command passed along, but
the value passed to the ioctl isn't checked against the usable
max command size.
Change-Id: I9ac2ae07c35cf5fda62d7afad32c8d9ab6a9ea1d
Tested: sanity checked w/ calling the ioctl w/ a bogus size
---
drivers/scsi/sg.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 9c5c5f2b3962..b47a369cb71c 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -976,6 +976,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned
long arg)
result = get_user(val, ip);
if (result)
return result;
+ if (val > SG_MAX_CDB_SIZE)
+ return -ENOMEM;
sfp->next_cmd_len = (val > 0) ? val : 0;
return 0;
case SG_GET_VERSION_NUM:
--
2.12.0.rc1.440.g5b76565f74-goog
--
Martin K. Petersen Oracle Linux Engineering
