[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3df56245-d104-4ce2-ab88-0fb1d29cd629@siddh.me>
Date: Tue, 14 Nov 2023 17:36:27 +0530
From: Siddh Raman Pant <code@...dh.me>
To: syzbot+bbe84a4010eeea00982d@...kaller.appspotmail.com
Cc: linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in
nfc_alloc_send_skb
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
---
net/nfc/llcp_sock.c | 30 ++++++++++++++++++------------
1 file changed, 18 insertions(+), 12 deletions(-)
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 645677f84dba..699f7f6cc0b8 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -791,33 +791,39 @@ static int llcp_sock_sendmsg(struct socket *sock, struct msghdr *msg,
lock_sock(sk);
if (!llcp_sock->local) {
- release_sock(sk);
- return -ENODEV;
+ ret = -ENODEV;
+ goto out;
}
if (sk->sk_type == SOCK_DGRAM) {
+ if (sk->sk_state != LLCP_BOUND) {
+ ret = -ENOLINK;
+ goto out;
+ }
+
DECLARE_SOCKADDR(struct sockaddr_nfc_llcp *, addr,
msg->msg_name);
if (msg->msg_namelen < sizeof(*addr)) {
- release_sock(sk);
- return -EINVAL;
+ ret = -EINVAL;
+ goto out;
}
- release_sock(sk);
-
- return nfc_llcp_send_ui_frame(llcp_sock, addr->dsap, addr->ssap,
- msg, len);
+ ret = nfc_llcp_send_ui_frame(llcp_sock, addr->dsap, addr->ssap,
+ msg, len);
+ goto out;
}
if (sk->sk_state != LLCP_CONNECTED) {
- release_sock(sk);
- return -ENOTCONN;
+ ret = -ENOTCONN;
+ goto out;
}
- release_sock(sk);
+ ret = nfc_llcp_send_i_frame(llcp_sock, msg, len);
- return nfc_llcp_send_i_frame(llcp_sock, msg, len);
+out:
+ release_sock(sk);
+ return ret;
}
static int llcp_sock_recvmsg(struct socket *sock, struct msghdr *msg,
--
2.42.0
Powered by blists - more mailing lists