Merge tag 'edac/v4.3-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab...

[cascardo/linux.git] / drivers / message / fusion / mptctl.c

diff --git a/drivers/message/fusion/mptctl.c b/drivers/message/fusion/mptctl.c
index 70bb753..fc73937 100644 (file)
--- a/drivers/message/fusion/mptctl.c
+++ b/drivers/message/fusion/mptctl.c
@@ -1859,6 +1859,15 @@ mptctl_do_mpt_command (struct mpt_ioctl_command karg, void __user *mfPtr)
        }
        spin_unlock_irqrestore(&ioc->taskmgmt_lock, flags);
 
+       /* Basic sanity checks to prevent underflows or integer overflows */
+       if (karg.maxReplyBytes < 0 ||
+           karg.dataInSize < 0 ||
+           karg.dataOutSize < 0 ||
+           karg.dataSgeOffset < 0 ||
+           karg.maxSenseBytes < 0 ||
+           karg.dataSgeOffset > ioc->req_sz / 4)
+               return -EINVAL;
+
        /* Verify that the final request frame will not be too large.
         */
        sz = karg.dataSgeOffset * 4;