[PATCH] scsi: 3w-xxxx: validate AEN ioctl buffer length

From: Yousef Alhouseen

Date: Wed Jun 24 2026 - 15:31:42 EST


TW_OP_AEN_LISTEN copies a fixed AEN code into the ioctl data buffer, but
the coherent ioctl allocation is sized from the user supplied buffer
length. A zero-length or otherwise short buffer lets the handler write
past the allocated ioctl buffer.

Reject AEN listen requests whose data buffer is too small for the code
returned by the driver.

Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
drivers/scsi/3w-xxxx.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/3w-xxxx.c b/drivers/scsi/3w-xxxx.c
index c68678fa7..147a47e6b 100644
--- a/drivers/scsi/3w-xxxx.c
+++ b/drivers/scsi/3w-xxxx.c
@@ -908,6 +908,12 @@ static long tw_chrdev_ioctl(struct file *file, unsigned int cmd, unsigned long a
goto out;
}

+ if (cmd == TW_OP_AEN_LISTEN &&
+ data_buffer_length < sizeof(tw_aen_code)) {
+ retval = -EINVAL;
+ goto out;
+ }
+
/* Hardware can only do multiple of 512 byte transfers */
data_buffer_length_adjusted = (data_buffer_length + 511) & ~511;

@@ -2427,4 +2433,3 @@ static void __exit tw_exit(void)

module_init(tw_init);
module_exit(tw_exit);
-
--
2.54.0