1 files changed, 20 insertions, 4 deletions

diff --git a/net/socket.c b/net/socket.c
index ebed4b68f768..c226aceee65b 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1964,6 +1964,16 @@ struct used_address {
         unsigned int name_len;
 };
 
+static int copy_msghdr_from_user(struct msghdr *kmsg,
+                                 struct msghdr __user *umsg)
+{
+        if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
+                return -EFAULT;
+        if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
+                return -EINVAL;
+        return 0;
+}
+
 static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
                          struct msghdr *msg_sys, unsigned int flags,
                          struct used_address *used_address)
@@ -1982,8 +1992,11 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
         if (MSG_CMSG_COMPAT & flags) {
                 if (get_compat_msghdr(msg_sys, msg_compat))
                         return -EFAULT;
-        } else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr)))
-                return -EFAULT;
+        } else {
+                err = copy_msghdr_from_user(msg_sys, msg);
+                if (err)
+                        return err;
+        }
 
         if (msg_sys->msg_iovlen > UIO_FASTIOV) {
                 err = -EMSGSIZE;
@@ -2191,8 +2204,11 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
         if (MSG_CMSG_COMPAT & flags) {
                 if (get_compat_msghdr(msg_sys, msg_compat))
                         return -EFAULT;
-        } else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr)))
-                return -EFAULT;
+        } else {
+                err = copy_msghdr_from_user(msg_sys, msg);
+                if (err)
+                        return err;
+        }
 
         if (msg_sys->msg_iovlen > UIO_FASTIOV) {
                 err = -EMSGSIZE;