Index: sys/cam/scsi/scsi_pass.c
===================================================================
--- sys/cam/scsi/scsi_pass.c
+++ sys/cam/scsi/scsi_pass.c
@@ -2170,7 +2170,6 @@
 {
 	struct pass_softc *softc;
 	struct cam_periph_map_info mapinfo;
-	uint8_t *cmd;
 	xpt_opcode fc;
 	int error;
 
@@ -2183,11 +2182,15 @@
 	xpt_merge_ccb(ccb, inccb);
 
 	if (ccb->ccb_h.flags & CAM_CDB_POINTER) {
-		cmd = __builtin_alloca(ccb->csio.cdb_len);
-		error = copyin(ccb->csio.cdb_io.cdb_ptr, cmd, ccb->csio.cdb_len);
+		if (ccb->csio.cdb_len > IOCDBLEN)
+			return (EINVAL);
+		cam_periph_unlock(periph);
+		error = copyin(ccb->csio.cdb_io.cdb_ptr,
+		    ccb->csio.cdb_io.cdb_bytes, ccb->csio.cdb_len);
+		cam_periph_lock(periph);
 		if (error)
 			return (error);
-		ccb->csio.cdb_io.cdb_ptr = cmd;
+		ccb->ccb_h.flags &= ~CAM_CDB_POINTER;
 	}
 
 	/*