net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom

Change-Id: I4bbd1bd2b661bc21aa0fdcc436b09b3bd23803be Cc: stable@vger.kernel.org # v3.19 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> Git-commit: 4de930efc23b92ddf88ce91c405ee645fe6e27ea Git-repo: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git Signed-off-by: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org> [dcagle: Resolve trivial merge conflicts] Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
author: Al Viro <viro@ZenIV.linux.org.uk> 2015-03-20 17:41:43 +0000
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2017-02-17 10:18:36 -0800
commit: e26164ecb17ac450f648870cafb95a3729ddda3c (patch)
tree: c403626a00682f1259048b22550c8e314aca29ee /net/socket.c
parent: 7066afbbe98876327824a305c9d0737114136baa (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/net/socket.c b/net/socket.c
index 5211c40daecc..1cdfe02104a6 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1664,6 +1664,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
 
 	if (len > INT_MAX)
 		len = INT_MAX;
+	if (unlikely(!access_ok(VERIFY_READ, buff, len)))
+		return -EFAULT;
 
 	err = import_single_range(WRITE, buff, len, &iov, &msg.msg_iter);
 	if (unlikely(err))
@@ -1723,6 +1725,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
 
 	if (size > INT_MAX)
 		size = INT_MAX;
+	if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size)))
+		return -EFAULT;
 	err = import_single_range(READ, ubuf, size, &iov, &msg.msg_iter);
 	if (unlikely(err))
 		return err;
author	Al Viro <viro@ZenIV.linux.org.uk>	2015-03-20 17:41:43 +0000
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2017-02-17 10:18:36 -0800
commit	e26164ecb17ac450f648870cafb95a3729ddda3c (patch)
tree	c403626a00682f1259048b22550c8e314aca29ee /net/socket.c
parent	7066afbbe98876327824a305c9d0737114136baa (diff)