Loading net/ipv4/ip_sockglue.c +6 −14 Original line number Diff line number Diff line Loading @@ -934,14 +934,9 @@ static int do_ip_setsockopt(struct sock *sk, int level, err = -ENOBUFS; break; } msf = kmalloc(optlen, GFP_KERNEL); if (!msf) { err = -ENOBUFS; break; } err = -EFAULT; if (copy_from_user(msf, optval, optlen)) { kfree(msf); msf = memdup_user(optval, optlen); if (IS_ERR(msf)) { err = PTR_ERR(msf); break; } /* numsrc >= (1G-4) overflow in 32 bits */ Loading Loading @@ -1090,14 +1085,11 @@ static int do_ip_setsockopt(struct sock *sk, int level, err = -ENOBUFS; break; } gsf = kmalloc(optlen, GFP_KERNEL); if (!gsf) { err = -ENOBUFS; gsf = memdup_user(optval, optlen); if (IS_ERR(gsf)) { err = PTR_ERR(gsf); break; } err = -EFAULT; if (copy_from_user(gsf, optval, optlen)) goto mc_msf_out; /* numsrc >= (4G-140)/128 overflow in 32 bits */ if (gsf->gf_numsrc >= 0x1ffffff || Loading Loading
net/ipv4/ip_sockglue.c +6 −14 Original line number Diff line number Diff line Loading @@ -934,14 +934,9 @@ static int do_ip_setsockopt(struct sock *sk, int level, err = -ENOBUFS; break; } msf = kmalloc(optlen, GFP_KERNEL); if (!msf) { err = -ENOBUFS; break; } err = -EFAULT; if (copy_from_user(msf, optval, optlen)) { kfree(msf); msf = memdup_user(optval, optlen); if (IS_ERR(msf)) { err = PTR_ERR(msf); break; } /* numsrc >= (1G-4) overflow in 32 bits */ Loading Loading @@ -1090,14 +1085,11 @@ static int do_ip_setsockopt(struct sock *sk, int level, err = -ENOBUFS; break; } gsf = kmalloc(optlen, GFP_KERNEL); if (!gsf) { err = -ENOBUFS; gsf = memdup_user(optval, optlen); if (IS_ERR(gsf)) { err = PTR_ERR(gsf); break; } err = -EFAULT; if (copy_from_user(gsf, optval, optlen)) goto mc_msf_out; /* numsrc >= (4G-140)/128 overflow in 32 bits */ if (gsf->gf_numsrc >= 0x1ffffff || Loading
Al Viro <viro@zeniv.linux.org.uk>Al Viro <viro@zeniv.linux.org.uk>