dpt_i2o: Fix up copy*user
Alan Cox [Tue, 27 Oct 2009 15:35:35 +0000 (15:35 +0000)]
Signed-off-by: Alan Cox <alan@linux.intel.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

drivers/scsi/dpt_i2o.c

index b6af63c..7d1aac3 100644 (file)
@@ -1918,6 +1918,10 @@ static int adpt_i2o_passthru(adpt_hba* pHba, u32 __user *arg)
                }
                size = size>>16;
                size *= 4;
+               if (size > MAX_MESSAGE_SIZE) {
+                       rcode = EINVAL;
+                       goto cleanup;
+               }
                /* Copy in the user's I2O command */
                if (copy_from_user (msg, user_msg, size)) {
                        rcode = -EFAULT;