sendmmsg/sendmsg: fix unsafe user pointer access

[deliverable/linux.git] / net / socket.c

diff --git a/net/socket.c b/net/socket.c
index 24a77400b65e4e8fd63f825144bdc4891b5fced9..ffe92ca32f2acc031605e69d13614b6c8374bed3 100644 (file)
--- a/net/socket.c
+++ b/net/socket.c
@@ -1965,8 +1965,9 @@ static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
         * used_address->name_len is initialized to UINT_MAX so that the first
         * destination address never matches.
         */
-       if (used_address && used_address->name_len == msg_sys->msg_namelen &&
-           !memcmp(&used_address->name, msg->msg_name,
+       if (used_address && msg_sys->msg_name &&
+           used_address->name_len == msg_sys->msg_namelen &&
+           !memcmp(&used_address->name, msg_sys->msg_name,
                    used_address->name_len)) {
                err = sock_sendmsg_nosec(sock, msg_sys, total_len);
                goto out_freectl;
@@ -1978,8 +1979,9 @@ static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
         */
        if (used_address && err >= 0) {
                used_address->name_len = msg_sys->msg_namelen;
-               memcpy(&used_address->name, msg->msg_name,
-                      used_address->name_len);
+               if (msg_sys->msg_name)
+                       memcpy(&used_address->name, msg_sys->msg_name,
+                              used_address->name_len);
        }
 
 out_freectl: