From 0e672f795efc0afb318ca41777402eee798427e3 Mon Sep 17 00:00:00 2001
From: Alexander Motin <mav@FreeBSD.org>
Date: Tue, 28 Feb 2017 05:17:50 +0000
Subject: [PATCH] Add safety check against too long CDB.

SBP-2 specification defined maximum CDB length as 12 bytes.  Newer SBP-3
specification allows CDB of any size, but this driver is too old.  Proper
solution would be to look on maximal ORB size supported by the target.

MFC after:	1 week
---
 sys/dev/firewire/sbp.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sys/dev/firewire/sbp.c b/sys/dev/firewire/sbp.c
index bc0b59fe2fd..8953be7e11f 100644
--- a/sys/dev/firewire/sbp.c
+++ b/sys/dev/firewire/sbp.c
@@ -2367,6 +2367,11 @@ END_DEBUG
 			xpt_done(ccb);
 			return;
 		}
+		if (csio->cdb_len > sizeof(ocb->orb) - 5 * sizeof(uint32_t)) {
+			ccb->ccb_h.status = CAM_REQ_INVALID;
+			xpt_done(ccb);
+			return;
+		}
 #if 0
 		/* if we are in probe stage, pass only probe commands */
 		if (sdev->status == SBP_DEV_PROBE) {