[SCSI] megaraid: missing bounds check in mimd_to_kioc()

pthru32->dataxferlen comes from the user so we need to check that it's
not too large so we don't overflow the buffer.

Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Sumit Saxena <sumit.saxena@lsi.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>

diff --git a/drivers/scsi/megaraid/megaraid_mm.c b/drivers/scsi/megaraid/megaraid_mm.c
index dfffd0f37916f18097eaafe21eb2589b033d9193..a70692779a16c770300b410eda56a9f1823e9239 100644 (file)
--- a/drivers/scsi/megaraid/megaraid_mm.c
+++ b/drivers/scsi/megaraid/megaraid_mm.c
@@ -486,6 +486,8 @@ mimd_to_kioc(mimd_t __user *umimd, mraid_mmadp_t *adp, uioc_t *kioc)
 
        pthru32->dataxferaddr   = kioc->buf_paddr;
        if (kioc->data_dir & UIOC_WR) {
+               if (pthru32->dataxferlen > kioc->xferlen)
+                       return -EINVAL;
                if (copy_from_user(kioc->buf_vaddr, kioc->user_data,
                                                pthru32->dataxferlen)) {
                        return (-EFAULT);