In mptctl_do_mpt_command() we cap the upper bound of .maxSenseBytes but we don't check for negative values: if (karg.maxSenseBytes > MPT_SENSE_BUFFER_SIZE) I've fixed this by making the type unsigned and I changed the surrounding types to match as well. Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> diff --git a/drivers/message/fusion/mptctl.h b/drivers/message/fusion/mptctl.h index d564cc9..9ea5a18 100644 --- a/drivers/message/fusion/mptctl.h +++ b/drivers/message/fusion/mptctl.h @@ -324,11 +324,11 @@ struct mpt_ioctl_command { char __user *dataInBufPtr; char __user *dataOutBufPtr; char __user *senseDataPtr; - int maxReplyBytes; - int dataInSize; - int dataOutSize; - int maxSenseBytes; - int dataSgeOffset; + u32 maxReplyBytes; + u32 dataInSize; + u32 dataOutSize; + u32 maxSenseBytes; + u32 dataSgeOffset; char MF[1]; }; @@ -343,11 +343,11 @@ struct mpt_ioctl_command32 { u32 dataInBufPtr; u32 dataOutBufPtr; u32 senseDataPtr; - int maxReplyBytes; - int dataInSize; - int dataOutSize; - int maxSenseBytes; - int dataSgeOffset; + u32 maxReplyBytes; + u32 dataInSize; + u32 dataOutSize; + u32 maxSenseBytes; + u32 dataSgeOffset; char MF[1]; }; #endif /*}*/ -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html