diff options
| author | Al Viro <viro@ZenIV.linux.org.uk> | 2015-03-20 13:41:43 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-03-20 16:38:06 -0400 |
| commit | 4de930efc23b92ddf88ce91c405ee645fe6e27ea (patch) | |
| tree | a5e02f72e51fca0aefd06600409bd42bc49392fb /net | |
| parent | 91edd096e224941131f896b86838b1e59553696a (diff) | |
net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom
Cc: stable@vger.kernel.org # v3.19
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/socket.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/net/socket.c b/net/socket.c index bbedbfcb42c2..245330ca0015 100644 --- a/net/socket.c +++ b/net/socket.c | |||
| @@ -1702,6 +1702,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len, | |||
| 1702 | 1702 | ||
| 1703 | if (len > INT_MAX) | 1703 | if (len > INT_MAX) |
| 1704 | len = INT_MAX; | 1704 | len = INT_MAX; |
| 1705 | if (unlikely(!access_ok(VERIFY_READ, buff, len))) | ||
| 1706 | return -EFAULT; | ||
| 1705 | sock = sockfd_lookup_light(fd, &err, &fput_needed); | 1707 | sock = sockfd_lookup_light(fd, &err, &fput_needed); |
| 1706 | if (!sock) | 1708 | if (!sock) |
| 1707 | goto out; | 1709 | goto out; |
| @@ -1760,6 +1762,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size, | |||
| 1760 | 1762 | ||
| 1761 | if (size > INT_MAX) | 1763 | if (size > INT_MAX) |
| 1762 | size = INT_MAX; | 1764 | size = INT_MAX; |
| 1765 | if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size))) | ||
| 1766 | return -EFAULT; | ||
| 1763 | sock = sockfd_lookup_light(fd, &err, &fput_needed); | 1767 | sock = sockfd_lookup_light(fd, &err, &fput_needed); |
| 1764 | if (!sock) | 1768 | if (!sock) |
| 1765 | goto out; | 1769 | goto out; |