The following commit has been merged in the linux branch: commit ef7562b7f28319e6dd1f85dc1af87df2a7a84832 Author: Alan Cox alan@linux.intel.com Date: Tue Oct 27 15:35:35 2009 +0000
dpt_i2o: Fix up copy*user
Signed-off-by: Alan Cox alan@linux.intel.com Cc: stable@kernel.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org
diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c index b6af63c..7d1aac3 100644 --- a/drivers/scsi/dpt_i2o.c +++ b/drivers/scsi/dpt_i2o.c @@ -1918,6 +1918,10 @@ static int adpt_i2o_passthru(adpt_hba* pHba, u32 __user *arg) } size = size>>16; size *= 4; + if (size > MAX_MESSAGE_SIZE) { + rcode = EINVAL; + goto cleanup; + } /* Copy in the user's I2O command */ if (copy_from_user (msg, user_msg, size)) { rcode = -EFAULT;