diff options
| author | Al Viro <viro@ZenIV.linux.org.uk> | 2015-03-20 17:41:43 +0000 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2015-03-26 13:59:35 +0100 |
| commit | a39960b04c21381bab7fca79c6461f35074128f5 (patch) | |
| tree | ddf33459d366781482bcd228417412bf99aa8373 /net | |
| parent | 554b7d2eeeb4daa535fafb65e10305899617cd3e (diff) | |
net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom
commit 4de930efc23b92ddf88ce91c405ee645fe6e27ea upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/socket.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/net/socket.c b/net/socket.c index 418795caa897..d50e7ca6aeea 100644 --- a/net/socket.c +++ b/net/socket.c @@ -1765,6 +1765,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len, if (len > INT_MAX) len = INT_MAX; + if (unlikely(!access_ok(VERIFY_READ, buff, len))) + return -EFAULT; sock = sockfd_lookup_light(fd, &err, &fput_needed); if (!sock) goto out; @@ -1823,6 +1825,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size, if (size > INT_MAX) size = INT_MAX; + if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size))) + return -EFAULT; sock = sockfd_lookup_light(fd, &err, &fput_needed); if (!sock) goto out; |