net: Limit socket I/O iovec total length to INT_MAX.

					  int offset, 

					  unsigned int len, __wsum *csump);

extern long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode);

extern int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode);

extern int memcpy_toiovec(struct iovec *v, unsigned char *kdata, int len);

extern int memcpy_toiovecend(const struct iovec *v, unsigned char *kdata,

			     int offset, int len);

		compat_size_t len;

		if (get_user(len, &uiov32->iov_len) ||

		   get_user(buf, &uiov32->iov_base)) {

			tot_len = -EFAULT;

			break;

		}

		    get_user(buf, &uiov32->iov_base))

			return -EFAULT;

		if (len > INT_MAX - tot_len)

			len = INT_MAX - tot_len;

		tot_len += len;

		kiov->iov_base = compat_ptr(buf);

		kiov->iov_len = (__kernel_size_t) len;

 *	in any case.

 */

long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode)

int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode)

{

	int size, ct;

	long err;

	int size, ct, err;

	if (m->msg_namelen) {

		if (mode == VERIFY_READ) {

	err = 0;

	for (ct = 0; ct < m->msg_iovlen; ct++) {

		err += iov[ct].iov_len;

		/*

		 * Goal is not to verify user data, but to prevent returning

		 * negative value, which is interpreted as errno.

		 * Overflow is still possible, but it is harmless.

		 */

		if (err < 0)

			return -EMSGSIZE;

		size_t len = iov[ct].iov_len;

		if (len > INT_MAX - err) {

			len = INT_MAX - err;

			iov[ct].iov_len = len;

		}

		err += len;

	}

	return err;