From: Al Viro <viro@ZenIV.linux.org.uk>
Date: Fri, 20 Mar 2015 17:41:43 +0000 (+0000)
Subject: net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom
X-Git-Tag: v3.19.3~103
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a39960b04c21381bab7fca79c6461f35074128f5;p=thirdparty%2Fkernel%2Fstable.git

net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom

commit 4de930efc23b92ddf88ce91c405ee645fe6e27ea upstream.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/net/socket.c b/net/socket.c
index 418795caa8979..d50e7ca6aeead 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1765,6 +1765,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
 
 	if (len > INT_MAX)
 		len = INT_MAX;
+	if (unlikely(!access_ok(VERIFY_READ, buff, len)))
+		return -EFAULT;
 	sock = sockfd_lookup_light(fd, &err, &fput_needed);
 	if (!sock)
 		goto out;
@@ -1823,6 +1825,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
 
 	if (size > INT_MAX)
 		size = INT_MAX;
+	if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size)))
+		return -EFAULT;
 	sock = sockfd_lookup_light(fd, &err, &fput_needed);
 	if (!sock)
 		goto out;