i2o: check copy_from_user() size parameter

Limit the size of the copy so we don't corrupt memory.  Hopefully this
can only be called by root, but fixing this makes the static checkers
happier.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Masanari Iida <standby24x7@gmail.com>
Cc: Alan Cox <alan@linux.intel.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

1 files changed, 10 insertions, 0 deletions

diff --git a/drivers/message/i2o/i2o_config.c b/drivers/message/i2o/i2o_config.c
index 5451beff183f..a60c188c2bd9 100644
--- a/drivers/message/i2o/i2o_config.c
+++ b/drivers/message/i2o/i2o_config.c
@@ -687,6 +687,11 @@ static int i2o_cfg_passthru32(struct file *file, unsigned cmnd,
                 }
                 size = size >> 16;
                 size *= 4;
+                if (size > sizeof(rmsg)) {
+                        rcode = -EINVAL;
+                        goto sg_list_cleanup;
+                }
+
                 /* Copy in the user's I2O command */
                 if (copy_from_user(rmsg, user_msg, size)) {
                         rcode = -EFAULT;
@@ -922,6 +927,11 @@ static int i2o_cfg_passthru(unsigned long arg)
                 }
                 size = size >> 16;
                 size *= 4;
+                if (size > sizeof(rmsg)) {
+                        rcode = -EFAULT;
+                        goto sg_list_cleanup;
+                }
+
                 /* Copy in the user's I2O command */
                 if (copy_from_user(rmsg, user_msg, size)) {
                         rcode = -EFAULT;