caif: don't set connection request param size before copying data
Dan Rosenberg [Tue, 11 Jan 2011 00:00:54 +0000 (16:00 -0800)]
The size field should not be set until after the data is successfully
copied in.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/caif/caif_socket.c

index 1bf0cf5..8184c03 100644 (file)
@@ -740,12 +740,12 @@ static int setsockopt(struct socket *sock,
                if (cf_sk->sk.sk_protocol != CAIFPROTO_UTIL)
                        return -ENOPROTOOPT;
                lock_sock(&(cf_sk->sk));
-               cf_sk->conn_req.param.size = ol;
                if (ol > sizeof(cf_sk->conn_req.param.data) ||
                        copy_from_user(&cf_sk->conn_req.param.data, ov, ol)) {
                        release_sock(&cf_sk->sk);
                        return -EINVAL;
                }
+               cf_sk->conn_req.param.size = ol;
                release_sock(&cf_sk->sk);
                return 0;