From c7595fe0503b83466850c022198861246576bc8d Mon Sep 17 00:00:00 2001
From: Arjan van de Ven <arjan@linux.intel.com>
Date: Mon, 28 Sep 2009 12:57:44 -0700
Subject: [PATCH] --- yaml --- r: 166564 b: refs/heads/master c:
 47379052b5c87707bc6e20a2a4f6ac156fb8357c h: refs/heads/master v: v3

---
 [refs]             | 2 +-
 trunk/net/socket.c | 7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/[refs] b/[refs]
index 0f5ce5b1e897..91faa65aef89 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: 30df94f800368a016d09ee672c9fcc20751d0260
+refs/heads/master: 47379052b5c87707bc6e20a2a4f6ac156fb8357c
diff --git a/trunk/net/socket.c b/trunk/net/socket.c
index 49917a1cac7d..41e8847508aa 100644
--- a/trunk/net/socket.c
+++ b/trunk/net/socket.c
@@ -2098,12 +2098,17 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
 	unsigned long a[6];
 	unsigned long a0, a1;
 	int err;
+	unsigned int len;
 
 	if (call < 1 || call > SYS_ACCEPT4)
 		return -EINVAL;
 
+	len = nargs[call];
+	if (len > sizeof(a))
+		return -EINVAL;
+
 	/* copy_from_user should be SMP safe. */
-	if (copy_from_user(a, args, nargs[call]))
+	if (copy_from_user(a, args, len))
 		return -EFAULT;
 
 	audit_socketcall(nargs[call] / sizeof(unsigned long), a);