1 files changed, 11 insertions, 2 deletions

diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
index b381b3718a98..5648b715fed9 100644
--- a/drivers/scsi/aacraid/commctrl.c
+++ b/drivers/scsi/aacraid/commctrl.c
@@ -63,7 +63,7 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
         struct fib *fibptr;
         struct hw_fib * hw_fib = (struct hw_fib *)0;
         dma_addr_t hw_fib_pa = (dma_addr_t)0LL;
-        unsigned size;
+        unsigned int size, osize;
         int retval;
 
         if (dev->in_reset) {
@@ -87,7 +87,8 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
          *      will not overrun the buffer when we copy the memory. Return
          *      an error if we would.
          */
-        size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr);
+        osize = size = le16_to_cpu(kfib->header.Size) +
+                sizeof(struct aac_fibhdr);
         if (size < le16_to_cpu(kfib->header.SenderSize))
                 size = le16_to_cpu(kfib->header.SenderSize);
         if (size > dev->max_fib_size) {
@@ -118,6 +119,14 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
                 goto cleanup;
         }
 
+        /* Sanity check the second copy */
+        if ((osize != le16_to_cpu(kfib->header.Size) +
+                sizeof(struct aac_fibhdr))
+                || (size < le16_to_cpu(kfib->header.SenderSize))) {
+                retval = -EINVAL;
+                goto cleanup;
+        }
+
         if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
                 aac_adapter_interrupt(dev);
                 /*