|
|
@@ -1859,6 +1859,15 @@ mptctl_do_mpt_command (struct mpt_ioctl_command karg, void __user *mfPtr)
|
|
|
}
|
|
|
spin_unlock_irqrestore(&ioc->taskmgmt_lock, flags);
|
|
|
|
|
|
+ /* Basic sanity checks to prevent underflows or integer overflows */
|
|
|
+ if (karg.maxReplyBytes < 0 ||
|
|
|
+ karg.dataInSize < 0 ||
|
|
|
+ karg.dataOutSize < 0 ||
|
|
|
+ karg.dataSgeOffset < 0 ||
|
|
|
+ karg.maxSenseBytes < 0 ||
|
|
|
+ karg.dataSgeOffset > ioc->req_sz / 4)
|
|
|
+ return -EINVAL;
|
|
|
+
|
|
|
/* Verify that the final request frame will not be too large.
|
|
|
*/
|
|
|
sz = karg.dataSgeOffset * 4;
|
Dan Carpenter