diff mbox series

[3/4] nfc: Do not send datagram if socket state isn't LLCP_BOUND

Message ID ff2e1639a591e413ce95eb64dea85751292c0be0.1700943019.git.code@siddh.me (mailing list archive)
State Changes Requested
Delegated to: Netdev Maintainers
Headers show
Series Fix UAF caused by racing datagram sending and freeing of nfc_dev | expand

Checks

Context Check Description
netdev/series_format warning Target tree name not specified in the subject
netdev/codegen success Generated files up to date
netdev/tree_selection success Guessed tree name to be net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 1115 this patch: 1115
netdev/cc_maintainers success CCed 5 of 5 maintainers
netdev/build_clang success Errors and warnings before: 1142 this patch: 1142
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 1142 this patch: 1142
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 11 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Siddh Raman Pant Nov. 25, 2023, 8:26 p.m. UTC 
As we know we cannot send the datagram (state can be set to LLCP_CLOSED
by nfc_llcp_socket_release()), there is no need to proceed further.

Thus, bail out early from llcp_sock_sendmsg().

Signed-off-by: Siddh Raman Pant <code@siddh.me>
---
 net/nfc/llcp_sock.c | 5 +++++
 1 file changed, 5 insertions(+)

Comments

Krzysztof Kozlowski Nov. 27, 2023, 10:54 a.m. UTC | #1 
On 25/11/2023 21:26, Siddh Raman Pant wrote:
> As we know we cannot send the datagram (state can be set to LLCP_CLOSED
> by nfc_llcp_socket_release()), there is no need to proceed further.
> 
> Thus, bail out early from llcp_sock_sendmsg().
> 
> Signed-off-by: Siddh Raman Pant <code@siddh.me>


Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>


Best regards,
Krzysztof
diff mbox series

Patch

diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index ef1ab88a5e4f..603f2219b62f 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -796,6 +796,11 @@  static int llcp_sock_sendmsg(struct socket *sock, struct msghdr *msg,
 	}
 
 	if (sk->sk_type == SOCK_DGRAM) {
+		if (sk->sk_state != LLCP_BOUND) {
+			release_sock(sk);
+			return -ENOTCONN;
+		}
+
 		DECLARE_SOCKADDR(struct sockaddr_nfc_llcp *, addr,
 				 msg->msg_name);