--- sys/cam/ctl/ctl.c.orig +++ sys/cam/ctl/ctl.c @@ -8320,6 +8320,18 @@ param_len = scsi_4btoul(cdb->length); + /* validate the parameter length */ + if (param_len != 24) { + ctl_set_invalid_field(ctsio, + /*sks_valid*/ 1, + /*command*/ 1, + /*field*/ 5, + /*bit_valid*/ 1, + /*bit*/ 0); + ctl_done((union ctl_io *)ctsio); + return (CTL_RETVAL_COMPLETE); + } + if ((ctsio->io_hdr.flags & CTL_FLAG_ALLOCATED) == 0) { ctsio->kern_data_ptr = malloc(param_len, M_CTL, M_WAITOK); ctsio->kern_data_len = param_len;