1 files changed, 11 insertions, 8 deletions

diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index 7f097989cde2..c9890e25cd4c 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -45,7 +45,6 @@
 #include <linux/capability.h>
 #include <linux/module.h>
 #include <linux/types.h>
-#include <linux/smp_lock.h>
 #include <linux/socket.h>
 #include <linux/sockios.h>
 #include <linux/slab.h>
@@ -2281,6 +2280,16 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
 
         switch (optname) {
         case IRLMP_ENUMDEVICES:
+
+                /* Offset to first device entry */
+                offset = sizeof(struct irda_device_list) -
+                        sizeof(struct irda_device_info);
+
+                if (len < offset) {
+                        err = -EINVAL;
+                        goto out;
+                }
+
                 /* Ask lmp for the current discovery log */
                 discoveries = irlmp_get_discoveries(&list.len, self->mask.word,
                                                     self->nslots);
@@ -2291,15 +2300,9 @@ static int irda_getsockopt(struct socket *sock, int level, int optname,
                 }
 
                 /* Write total list length back to client */
-                if (copy_to_user(optval, &list,
-                                 sizeof(struct irda_device_list) -
-                                 sizeof(struct irda_device_info)))
+                if (copy_to_user(optval, &list, offset))
                         err = -EFAULT;
 
-                /* Offset to first device entry */
-                offset = sizeof(struct irda_device_list) -
-                        sizeof(struct irda_device_info);
-
                 /* Copy the list itself - watch for overflow */
                 if (list.len > 2048) {
                         err = -EINVAL;