Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 91b5c98c authored by Dan Rosenberg's avatar Dan Rosenberg Committed by David S. Miller
Browse files

caif: don't set connection request param size before copying data 



The size field should not be set until after the data is successfully
copied in.

Signed-off-by: default avatarDan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 80ce3f67

net/caif/caif_socket.c

+1 −1
Original line number Diff line number Diff line
@@ -740,12 +740,12 @@ static int setsockopt(struct socket *sock, 
		if (cf_sk->sk.sk_protocol != CAIFPROTO_UTIL)

			return -ENOPROTOOPT;

		lock_sock(&(cf_sk->sk));

		cf_sk->conn_req.param.size = ol;

		if (ol > sizeof(cf_sk->conn_req.param.data) ||

			copy_from_user(&cf_sk->conn_req.param.data, ov, ol)) {

			release_sock(&cf_sk->sk);

			return -EINVAL;

		}

		cf_sk->conn_req.param.size = ol;

		release_sock(&cf_sk->sk);

		return 0;