Skip to content

Commit e6fd916

Browse files
Dan Carpentermartinkpetersen
Dan Carpenter
authored and
martinkpetersen
committed
scsi: aacraid: reading out of bounds
"qd.id" comes directly from the copy_from_user() on the line before so we should verify that it's within bounds. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
1 parent 722477c commit e6fd916

File tree

1 file changed

+4
-3
lines changed

1 file changed

+4
-3
lines changed

drivers/scsi/aacraid/aachba.c

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3198,10 +3198,11 @@ static int query_disk(struct aac_dev *dev, void __user *arg)
31983198
return -EBUSY;
31993199
if (copy_from_user(&qd, arg, sizeof (struct aac_query_disk)))
32003200
return -EFAULT;
3201-
if (qd.cnum == -1)
3201+
if (qd.cnum == -1) {
3202+
if (qd.id < 0 || qd.id >= dev->maximum_num_containers)
3203+
return -EINVAL;
32023204
qd.cnum = qd.id;
3203-
else if ((qd.bus == -1) && (qd.id == -1) && (qd.lun == -1))
3204-
{
3205+
} else if ((qd.bus == -1) && (qd.id == -1) && (qd.lun == -1)) {
32053206
if (qd.cnum < 0 || qd.cnum >= dev->maximum_num_containers)
32063207
return -EINVAL;
32073208
qd.instance = dev->scsi_host_ptr->host_no;

0 commit comments

Comments
 (0)