mirror of
https://github.com/followmsi/android_kernel_google_msm.git
synced 2024-11-06 23:17:41 +00:00
net: socket: error on a negative msg_namelen
[ Upstream commit dbb490b965 ]
When copying in a struct msghdr from the user, if the user has set the
msg_namelen parameter to a negative value it gets clamped to a valid
size due to a comparison between signed and unsigned values.
Ensure the syscall errors when the user passes in a negative value.
Signed-off-by: Matthew Leach <matthew.leach@arm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Matthew Leach
Greg Kroah-Hartman
parent
711d917045
commit
d82c152b56
1 changed files with 4 additions and 0 deletions
|
|
@ -1907,6 +1907,10 @@ static int copy_msghdr_from_user(struct msghdr *kmsg,
|
|||
{
|
||||
if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
|
||||
return -EFAULT;
|
||||
|
||||
if (kmsg->msg_namelen < 0)
|
||||
return -EINVAL;
|
||||
|
||||
if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
|
||||
kmsg->msg_namelen = sizeof(struct sockaddr_storage);
|
||||
return 0;
|
||||
|
|
|
|||
Loading…
Reference in a new issue