aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorArjan van de Ven <arjan@linux.intel.com>2009-09-28 15:57:44 -0400
committerDavid S. Miller <davem@davemloft.net>2009-09-28 15:57:44 -0400
commit47379052b5c87707bc6e20a2a4f6ac156fb8357c (patch)
tree178c84b77edbc7cac3223cbe930bd5927a4bf86f /net
parent30df94f800368a016d09ee672c9fcc20751d0260 (diff)
net: Add explicit bound checks in net/socket.c
The sys_socketcall() function has a very clever system for the copy size of its arguments. Unfortunately, gcc cannot deal with this in terms of proving that the copy_from_user() is then always in bounds. This is the last (well 9th of this series, but last in the kernel) such case around. With this patch, we can turn on code to make having the boundary provably right for the whole kernel, and detect introduction of new security accidents of this type early on. Signed-off-by: Arjan van de Ven <arjan@linux.intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/socket.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/net/socket.c b/net/socket.c
index 49917a1cac7d..41e8847508aa 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2098,12 +2098,17 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
2098 unsigned long a[6]; 2098 unsigned long a[6];
2099 unsigned long a0, a1; 2099 unsigned long a0, a1;
2100 int err; 2100 int err;
2101 unsigned int len;
2101 2102
2102 if (call < 1 || call > SYS_ACCEPT4) 2103 if (call < 1 || call > SYS_ACCEPT4)
2103 return -EINVAL; 2104 return -EINVAL;
2104 2105
2106 len = nargs[call];
2107 if (len > sizeof(a))
2108 return -EINVAL;
2109
2105 /* copy_from_user should be SMP safe. */ 2110 /* copy_from_user should be SMP safe. */
2106 if (copy_from_user(a, args, nargs[call])) 2111 if (copy_from_user(a, args, len))
2107 return -EFAULT; 2112 return -EFAULT;
2108 2113
2109 audit_socketcall(nargs[call] / sizeof(unsigned long), a); 2114 audit_socketcall(nargs[call] / sizeof(unsigned long), a);