net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom

author Al Viro <viro@ZenIV.linux.org.uk>

Fri, 20 Mar 2015 17:41:43 +0000 (17:41 +0000)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thu, 26 Mar 2015 12:59:35 +0000 (13:59 +0100)
author Al Viro <viro@ZenIV.linux.org.uk>
Fri, 20 Mar 2015 17:41:43 +0000 (17:41 +0000)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 26 Mar 2015 12:59:35 +0000 (13:59 +0100)
diff --git a/net/socket.c b/net/socket.c

index 418795caa8979fd0eb5d19e4d1fe3376fc0e9b20..d50e7ca6aeeadb333541d3b6865047ddc40f5db0 100644 (file)
--- a/net/socket.c
+++ b/net/socket.c
@@ -1765,6 +1765,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
  
         if (len > INT_MAX)
                 len = INT_MAX;
+       if (unlikely(!access_ok(VERIFY_READ, buff, len)))
+               return -EFAULT;
         sock = sockfd_lookup_light(fd, &err, &fput_needed);
         if (!sock)
                 goto out;
@@ -1823,6 +1825,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
  
         if (size > INT_MAX)
                 size = INT_MAX;
+       if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size)))
+               return -EFAULT;
         sock = sockfd_lookup_light(fd, &err, &fput_needed);
         if (!sock)
                 goto out;
author	Al Viro <viro@ZenIV.linux.org.uk>
	Fri, 20 Mar 2015 17:41:43 +0000 (17:41 +0000)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 26 Mar 2015 12:59:35 +0000 (13:59 +0100)