dpt_i2o: Fix up copy*user
authorAlan Cox <alan@linux.intel.com>
Tue, 27 Oct 2009 15:35:35 +0000 (15:35 +0000)
committerLinus Torvalds <torvalds@linux-foundation.org>
Thu, 29 Oct 2009 16:01:07 +0000 (09:01 -0700)
Signed-off-by: Alan Cox <alan@linux.intel.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
drivers/scsi/dpt_i2o.c

index b6af63ca980b4f1cb6be6acb2ca6762fe3f67548..7d1aac31ec8dcca36f70046966a9043f3d337f6e 100644 (file)
@@ -1918,6 +1918,10 @@ static int adpt_i2o_passthru(adpt_hba* pHba, u32 __user *arg)
                }
                size = size>>16;
                size *= 4;
+               if (size > MAX_MESSAGE_SIZE) {
+                       rcode = EINVAL;
+                       goto cleanup;
+               }
                /* Copy in the user's I2O command */
                if (copy_from_user (msg, user_msg, size)) {
                        rcode = -EFAULT;