From: Dan Rosenberg <drosenberg@vsecurity.com>
Date: Tue, 11 Jan 2011 00:00:54 +0000 (-0800)
Subject: caif: don't set connection request param size before copying data
X-Git-Tag: v2.6.38-rc1~50^2~47
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=91b5c98c2e062f982423686c77b8bf31f37fa196;p=platform%2Fkernel%2Flinux-exynos.git

caif: don't set connection request param size before copying data

The size field should not be set until after the data is successfully
copied in.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
index 1bf0cf5..8184c03 100644
--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -740,12 +740,12 @@ static int setsockopt(struct socket *sock,
 		if (cf_sk->sk.sk_protocol != CAIFPROTO_UTIL)
 			return -ENOPROTOOPT;
 		lock_sock(&(cf_sk->sk));
-		cf_sk->conn_req.param.size = ol;
 		if (ol > sizeof(cf_sk->conn_req.param.data) ||
 			copy_from_user(&cf_sk->conn_req.param.data, ov, ol)) {
 			release_sock(&cf_sk->sk);
 			return -EINVAL;
 		}
+		cf_sk->conn_req.param.size = ol;
 		release_sock(&cf_sk->sk);
 		return 0;