[NET]: fix uaccess handling

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

3 files changed, 25 insertions, 14 deletions

diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index b430cf2a4f66..5c31dead2bdc 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -329,7 +329,7 @@ error:
         return err; 
 }
 
-static void raw_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
+static int raw_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
 {
         struct iovec *iov;
         u8 __user *type = NULL;
@@ -338,7 +338,7 @@ static void raw_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
         unsigned int i;
 
         if (!msg->msg_iov)
-                return;
+                return 0;
 
         for (i = 0; i < msg->msg_iovlen; i++) {
                 iov = &msg->msg_iov[i];
@@ -360,8 +360,9 @@ static void raw_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
                                 code = iov->iov_base;
 
                         if (type && code) {
-                                get_user(fl->fl_icmp_type, type);
-                                get_user(fl->fl_icmp_code, code);
+                                if (get_user(fl->fl_icmp_type, type) ||
+                                    get_user(fl->fl_icmp_code, code))
+                                        return -EFAULT;
                                 probed = 1;
                         }
                         break;
@@ -372,6 +373,7 @@ static void raw_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
                 if (probed)
                         break;
         }
+        return 0;
 }
 
 static int raw_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
@@ -480,8 +482,11 @@ static int raw_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
                                     .proto = inet->hdrincl ? IPPROTO_RAW :
                                                              sk->sk_protocol,
                                   };
-                if (!inet->hdrincl)
-                        raw_probe_proto_opt(&fl, msg);
+                if (!inet->hdrincl) {
+                        err = raw_probe_proto_opt(&fl, msg);
+                        if (err)
+                                goto done;
+                }
 
                 security_sk_classify_flow(sk, &fl);
                 err = ip_route_output_flow(&rt, &fl, sk, !(msg->msg_flags&MSG_DONTWAIT));
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index d09329ca3267..d6dedc4aec77 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -604,7 +604,7 @@ error:
         return err; 
 }
 
-static void rawv6_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
+static int rawv6_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
 {
         struct iovec *iov;
         u8 __user *type = NULL;
@@ -616,7 +616,7 @@ static void rawv6_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
         int i;
 
         if (!msg->msg_iov)
-                return;
+                return 0;
 
         for (i = 0; i < msg->msg_iovlen; i++) {
                 iov = &msg->msg_iov[i];
@@ -638,8 +638,9 @@ static void rawv6_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
                                 code = iov->iov_base;
 
                         if (type && code) {
-                                get_user(fl->fl_icmp_type, type);
-                                get_user(fl->fl_icmp_code, code);
+                                if (get_user(fl->fl_icmp_type, type) ||
+                                    get_user(fl->fl_icmp_code, code))
+                                        return -EFAULT;
                                 probed = 1;
                         }
                         break;
@@ -650,7 +651,8 @@ static void rawv6_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
                         /* check if type field is readable or not. */
                         if (iov->iov_len > 2 - len) {
                                 u8 __user *p = iov->iov_base;
-                                get_user(fl->fl_mh_type, &p[2 - len]);
+                                if (get_user(fl->fl_mh_type, &p[2 - len]))
+                                        return -EFAULT;
                                 probed = 1;
                         } else
                                 len += iov->iov_len;
@@ -664,6 +666,7 @@ static void rawv6_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
                 if (probed)
                         break;
         }
+        return 0;
 }
 
 static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
@@ -787,7 +790,9 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
         opt = ipv6_fixup_options(&opt_space, opt);
 
         fl.proto = proto;
-        rawv6_probe_proto_opt(&fl, msg);
+        err = rawv6_probe_proto_opt(&fl, msg);
+        if (err)
+                goto out;
  
         ipv6_addr_copy(&fl.fl6_dst, daddr);
         if (ipv6_addr_any(&fl.fl6_src) && !ipv6_addr_any(&np->saddr))
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index d56e0d21f919..d527c8977b1f 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1075,8 +1075,9 @@ static int netlink_getsockopt(struct socket *sock, int level, int optname,
                         return -EINVAL;
                 len = sizeof(int);
                 val = nlk->flags & NETLINK_RECV_PKTINFO ? 1 : 0;
-                put_user(len, optlen);
-                put_user(val, optval);
+                if (put_user(len, optlen) ||
+                    put_user(val, optval))
+                        return -EFAULT;
                 err = 0;
                 break;
         default: