X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=drivers%2Fscsi%2Fsg.c;h=f753df25ba3492d4da3128a8a98eeaae467860ed;hb=cf1570d730f391150bbffc66e663f7afea2becd4;hp=dbe5b4b95df0d9d317dbdc2261914e4d8771991f;hpb=ad3efdb72cd921ec52ac94e82595a5d2e7a7b054;p=mirror_ubuntu-zesty-kernel.git

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index dbe5b4b95df0..f753df25ba34 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -998,6 +998,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
 		result = get_user(val, ip);
 		if (result)
 			return result;
+		if (val > SG_MAX_CDB_SIZE)
+			return -ENOMEM;
 		sfp->next_cmd_len = (val > 0) ? val : 0;
 		return 0;
 	case SG_GET_VERSION_NUM:
@@ -1753,6 +1755,10 @@ sg_start_req(Sg_request *srp, unsigned char *cmd)
 			return res;
 
 		iov_iter_truncate(&i, hp->dxfer_len);
+		if (!iov_iter_count(&i)) {
+			kfree(iov);
+			return -EINVAL;
+		}
 
 		res = blk_rq_map_user_iov(q, rq, md, &i, GFP_ATOMIC);
 		kfree(iov);