1 files changed, 13 insertions, 1 deletions

diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 6bde12da2fe..c37ac2d7bec 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2077,6 +2077,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
         if (!capable(CAP_NET_ADMIN))
                 return -EPERM;
 
+        if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX)
+                return -EINVAL;
+        if (len < 0 || len >  MAX_ARG_LEN)
+                return -EINVAL;
         if (len != set_arglen[SET_CMDID(cmd)]) {
                 pr_err("set_ctl: len %u != %u\n",
                        len, set_arglen[SET_CMDID(cmd)]);
@@ -2352,17 +2356,25 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
 {
         unsigned char arg[128];
         int ret = 0;
+        unsigned int copylen;
 
         if (!capable(CAP_NET_ADMIN))
                 return -EPERM;
 
+        if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_GET_MAX)
+                return -EINVAL;
+
         if (*len < get_arglen[GET_CMDID(cmd)]) {
                 pr_err("get_ctl: len %u < %u\n",
                        *len, get_arglen[GET_CMDID(cmd)]);
                 return -EINVAL;
         }
 
-        if (copy_from_user(arg, user, get_arglen[GET_CMDID(cmd)]) != 0)
+        copylen = get_arglen[GET_CMDID(cmd)];
+        if (copylen > 128)
+                return -EINVAL;
+
+        if (copy_from_user(arg, user, copylen) != 0)
                 return -EFAULT;
 
         if (mutex_lock_interruptible(&__ip_vs_mutex))