diff options
author | Al Viro <viro@ZenIV.linux.org.uk> | 2015-03-20 17:41:43 +0000 |
---|---|---|
committer | Ziyan <jaraidaniel@gmail.com> | 2016-10-29 01:34:01 +0200 |
commit | da14f7e135c8aa81461ca2ed327359a1f3b2b709 (patch) | |
tree | 9e491344eacca6c781c8e41c80e8e46573ab8da8 | |
parent | d55e31a0901339adf8f0f283a5b65c362e28e63e (diff) | |
download | kernel_samsung_tuna-da14f7e135c8aa81461ca2ed327359a1f3b2b709.tar.gz kernel_samsung_tuna-da14f7e135c8aa81461ca2ed327359a1f3b2b709.tar.bz2 kernel_samsung_tuna-da14f7e135c8aa81461ca2ed327359a1f3b2b709.zip |
net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom
Bug: 28759139
Change-Id: I561a14b514d714838ef539a94275b117d7f475f4
Cc: stable@vger.kernel.org # v3.19
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/socket.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/net/socket.c b/net/socket.c index b2786fe2d01..b63f764f8d7 100644 --- a/net/socket.c +++ b/net/socket.c @@ -1683,6 +1683,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len, if (len > INT_MAX) len = INT_MAX; + if (unlikely(!access_ok(VERIFY_READ, buff, len))) + return -EFAULT; sock = sockfd_lookup_light(fd, &err, &fput_needed); if (!sock) goto out; @@ -1742,6 +1744,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size, if (size > INT_MAX) size = INT_MAX; + if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size))) + return -EFAULT; sock = sockfd_lookup_light(fd, &err, &fput_needed); if (!sock) goto out; |