i2o: check copy_from_user() size parameter

Dan Carpenter · torvalds · commit 9151b3982daf · 2013-04-30T17:04:04.000-07:00
Limit the size of the copy so we don't corrupt memory.  Hopefully this
can only be called by root, but fixing this makes the static checkers
happier.

Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Cc: Jiri Kosina &lt;jkosina@suse.cz&gt;
Cc: Masanari Iida &lt;standby24x7@gmail.com&gt;
Cc: Alan Cox &lt;alan@linux.intel.com&gt;
Cc: Guenter Roeck &lt;linux@roeck-us.net&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
diff --git a/drivers/message/i2o/i2o_config.c b/drivers/message/i2o/i2o_config.c
@@ -687,6 +687,11 @@ static int i2o_cfg_passthru32(struct file *file, unsigned cmnd,
 		}
 		size = size >> 16;
 		size *= 4;
+		if (size > sizeof(rmsg)) {
+			rcode = -EINVAL;
+			goto sg_list_cleanup;
+		}
+
 		/* Copy in the user's I2O command */
 		if (copy_from_user(rmsg, user_msg, size)) {
 			rcode = -EFAULT;
@@ -922,6 +927,11 @@ static int i2o_cfg_passthru(unsigned long arg)
 		}
 		size = size >> 16;
 		size *= 4;
+		if (size > sizeof(rmsg)) {
+			rcode = -EFAULT;
+			goto sg_list_cleanup;
+		}
+
 		/* Copy in the user's I2O command */
 		if (copy_from_user(rmsg, user_msg, size)) {
 			rcode = -EFAULT;
