diff options
| author | Al Viro <viro@ZenIV.linux.org.uk> | 2015-03-20 17:41:43 +0000 |
|---|---|---|
| committer | Moyster <oysterized@gmail.com> | 2016-09-28 15:16:06 +0200 |
| commit | ac994c24effcfa9a427dbd2c8baed50363cd5f90 (patch) | |
| tree | 67f5efbad8babf1c181a5ccdb31b952f384576d1 /net | |
| parent | a81e488bf9238e7714e71e0359eadf04b2346273 (diff) | |
net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom
Bug: 28759139
Change-Id: I561a14b514d714838ef539a94275b117d7f475f4
Cc: stable@vger.kernel.org # v3.19
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/socket.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/net/socket.c b/net/socket.c index 9a272bd24..e7d50116c 100644 --- a/net/socket.c +++ b/net/socket.c @@ -1832,6 +1832,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len, if (len > INT_MAX) len = INT_MAX; + if (unlikely(!access_ok(VERIFY_READ, buff, len))) + return -EFAULT; sock = sockfd_lookup_light(fd, &err, &fput_needed); if (!sock) goto out; @@ -1891,6 +1893,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size, if (size > INT_MAX) size = INT_MAX; + if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size))) + return -EFAULT; sock = sockfd_lookup_light(fd, &err, &fput_needed); if (!sock) goto out; |