nagai/kernel
3
0
Fork 0
forked from mirrors/linux
Code Pull requests Activity

net: socket: error on a negative msg_namelen

Browse source 
When copying in a struct msghdr from the user, if the user has set the
msg_namelen parameter to a negative value it gets clamped to a valid
size due to a comparison between signed and unsigned values.

Ensure the syscall errors when the user passes in a negative value.

Signed-off-by: Matthew Leach <matthew.leach@arm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Matthew Leach 2014-03-11 11:58:27 +00:00 committed by David S. Miller
parent 7e814a6c50
commit dbb490b965
1 changed files with 4 additions and 0 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

4
net/socket.c
View file

@ -1985,6 +1985,10 @@ static int copy_msghdr_from_user(struct msghdr *kmsg,
{ {
if (copy_from_user(kmsg, umsg, sizeof(struct msghdr))) if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
return -EFAULT; return -EFAULT;
if (kmsg->msg_namelen < 0)
return -EINVAL;
if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
kmsg->msg_namelen = sizeof(struct sockaddr_storage); kmsg->msg_namelen = sizeof(struct sockaddr_storage);
return 0; return 0;