Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 91b5c98c authored by Dan Rosenberg's avatar Dan Rosenberg Committed by David S. Miller
Browse files

caif: don't set connection request param size before copying data



The size field should not be set until after the data is successfully
copied in.

Signed-off-by: default avatarDan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 80ce3f67
Loading
Loading
Loading
Loading
+1 −1
Original line number Diff line number Diff line
@@ -740,12 +740,12 @@ static int setsockopt(struct socket *sock,
		if (cf_sk->sk.sk_protocol != CAIFPROTO_UTIL)
			return -ENOPROTOOPT;
		lock_sock(&(cf_sk->sk));
		cf_sk->conn_req.param.size = ol;
		if (ol > sizeof(cf_sk->conn_req.param.data) ||
			copy_from_user(&cf_sk->conn_req.param.data, ov, ol)) {
			release_sock(&cf_sk->sk);
			return -EINVAL;
		}
		cf_sk->conn_req.param.size = ol;
		release_sock(&cf_sk->sk);
		return 0;