summaryrefslogtreecommitdiff
path: root/net/socket.c
diff options
context:
space:
mode:
authorArjan van de Ven <arjan@linux.intel.com>2009-09-28 12:57:44 -0700
committerDavid S. Miller <davem@davemloft.net>2009-09-28 12:57:44 -0700
commit47379052b5c87707bc6e20a2a4f6ac156fb8357c (patch)
tree178c84b77edbc7cac3223cbe930bd5927a4bf86f /net/socket.c
parent30df94f800368a016d09ee672c9fcc20751d0260 (diff)
downloadlinux-3.10-47379052b5c87707bc6e20a2a4f6ac156fb8357c.tar.gz
linux-3.10-47379052b5c87707bc6e20a2a4f6ac156fb8357c.tar.bz2
linux-3.10-47379052b5c87707bc6e20a2a4f6ac156fb8357c.zip
net: Add explicit bound checks in net/socket.c
The sys_socketcall() function has a very clever system for the copy size of its arguments. Unfortunately, gcc cannot deal with this in terms of proving that the copy_from_user() is then always in bounds. This is the last (well 9th of this series, but last in the kernel) such case around. With this patch, we can turn on code to make having the boundary provably right for the whole kernel, and detect introduction of new security accidents of this type early on. Signed-off-by: Arjan van de Ven <arjan@linux.intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/socket.c')
-rw-r--r--net/socket.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/net/socket.c b/net/socket.c
index 49917a1cac7..41e8847508a 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2098,12 +2098,17 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
unsigned long a[6];
unsigned long a0, a1;
int err;
+ unsigned int len;
if (call < 1 || call > SYS_ACCEPT4)
return -EINVAL;
+ len = nargs[call];
+ if (len > sizeof(a))
+ return -EINVAL;
+
/* copy_from_user should be SMP safe. */
- if (copy_from_user(a, args, nargs[call]))
+ if (copy_from_user(a, args, len))
return -EFAULT;
audit_socketcall(nargs[call] / sizeof(unsigned long), a);