caif: don't set connection request param size before copying data

The size field should not be set until after the data is successfully copied in. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Signed-off-by: David S. Miller <davem@davemloft.net>

caif: don't set connection request param size before copying data
The size field should not be set until after the data is successfully copied in. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Dan Rosenberg · David S. Miller
1 parent 80ce3f67e7
Showing 1 changed file with 1 additions and 1 deletions Side-by-side Diff
net/caif/caif_socket.c
@@ -740,12 +740,12 @@
 		if (cf_sk->sk.sk_protocol != CAIFPROTO_UTIL)
 			return -ENOPROTOOPT;
 		lock_sock(&(cf_sk->sk));
-		cf_sk->conn_req.param.size = ol;
 		if (ol > sizeof(cf_sk->conn_req.param.data) ||
 			copy_from_user(&cf_sk->conn_req.param.data, ov, ol)) {
 			release_sock(&cf_sk->sk);
 			return -EINVAL;
 		}
+		cf_sk->conn_req.param.size = ol;
 		release_sock(&cf_sk->sk);
 		return 0;
...	...	@@ -740,12 +740,12 @@
740	740	if (cf_sk->sk.sk_protocol != CAIFPROTO_UTIL)
741	741	return -ENOPROTOOPT;
742	742	lock_sock(&(cf_sk->sk));
743		- cf_sk->conn_req.param.size = ol;
744	743	if (ol > sizeof(cf_sk->conn_req.param.data) \|\|
745	744	copy_from_user(&cf_sk->conn_req.param.data, ov, ol)) {
746	745	release_sock(&cf_sk->sk);
747	746	return -EINVAL;
748	747	}
	748	+ cf_sk->conn_req.param.size = ol;
749	749	release_sock(&cf_sk->sk);
750	750	return 0;
751	751