1 files changed, 14 insertions, 4 deletions

diff --git a/sys/dev/aacraid/aacraid.c b/sys/dev/aacraid/aacraid.c
index 7c300a6..b0ab8a1 100644
--- a/sys/dev/aacraid/aacraid.c
+++ b/sys/dev/aacraid/aacraid.c
@@ -2873,15 +2873,25 @@ aac_ioctl_send_raw_srb(struct aac_softc *sc, caddr_t arg)
 	if (fibsize == (sizeof(struct aac_srb) + 
 		srbcmd->sg_map.SgCount * sizeof(struct aac_sg_entry))) {
 		struct aac_sg_entry *sgp = srbcmd->sg_map.SgEntry;
-		srb_sg_bytecount = sgp->SgByteCount;
-		srb_sg_address = (u_int64_t)sgp->SgAddress;
+		struct aac_sg_entry sg;
+
+		if ((error = copyin(sgp, &sg, sizeof(sg))) != 0)
+			goto out;
+
+		srb_sg_bytecount = sg.SgByteCount;
+		srb_sg_address = (u_int64_t)sg.SgAddress;
 	} else if (fibsize == (sizeof(struct aac_srb) + 
 		srbcmd->sg_map.SgCount * sizeof(struct aac_sg_entry64))) {
 #ifdef __LP64__
 		struct aac_sg_entry64 *sgp = 
 			(struct aac_sg_entry64 *)srbcmd->sg_map.SgEntry;
-		srb_sg_bytecount = sgp->SgByteCount;
-		srb_sg_address = sgp->SgAddress;
+		struct aac_sg_entry64 sg;
+
+		if ((error = copyin(sgp, &sg, sizeof(sg))) != 0)
+			goto out;
+
+		srb_sg_bytecount = sg.SgByteCount;
+		srb_sg_address = sg.SgAddress;
 		if (srb_sg_address > 0xffffffffull && 
 			!(sc->flags & AAC_FLAGS_SG_64BIT))
 #endif