[SPARC64]: Fix cmsg length checks in Solaris emulation layer.
David S. Miller [Tue, 21 Jun 2005 22:39:22 +0000 (15:39 -0700)]
Signed-off-by: David S. Miller <davem@davemloft.net>

arch/sparc64/solaris/socket.c

index ec8e074..0674058 100644 (file)
@@ -317,8 +317,10 @@ asmlinkage int solaris_sendmsg(int fd, struct sol_nmsghdr __user *user_msg, unsi
                unsigned long *kcmsg;
                compat_size_t cmlen;
 
-               if(kern_msg.msg_controllen > sizeof(ctl) &&
-                  kern_msg.msg_controllen <= 256) {
+               if (kern_msg.msg_controllen <= sizeof(compat_size_t))
+                       return -EINVAL;
+
+               if(kern_msg.msg_controllen > sizeof(ctl)) {
                        err = -ENOBUFS;
                        ctl_buf = kmalloc(kern_msg.msg_controllen, GFP_KERNEL);
                        if(!ctl_buf)