lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <3df56245-d104-4ce2-ab88-0fb1d29cd629@siddh.me> Date: Tue, 14 Nov 2023 17:36:27 +0530 From: Siddh Raman Pant <code@...dh.me> To: syzbot+bbe84a4010eeea00982d@...kaller.appspotmail.com Cc: linux-kernel@...r.kernel.org, netdev@...r.kernel.org, syzkaller-bugs@...glegroups.com Subject: Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master --- net/nfc/llcp_sock.c | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index 645677f84dba..699f7f6cc0b8 100644 --- a/net/nfc/llcp_sock.c +++ b/net/nfc/llcp_sock.c @@ -791,33 +791,39 @@ static int llcp_sock_sendmsg(struct socket *sock, struct msghdr *msg, lock_sock(sk); if (!llcp_sock->local) { - release_sock(sk); - return -ENODEV; + ret = -ENODEV; + goto out; } if (sk->sk_type == SOCK_DGRAM) { + if (sk->sk_state != LLCP_BOUND) { + ret = -ENOLINK; + goto out; + } + DECLARE_SOCKADDR(struct sockaddr_nfc_llcp *, addr, msg->msg_name); if (msg->msg_namelen < sizeof(*addr)) { - release_sock(sk); - return -EINVAL; + ret = -EINVAL; + goto out; } - release_sock(sk); - - return nfc_llcp_send_ui_frame(llcp_sock, addr->dsap, addr->ssap, - msg, len); + ret = nfc_llcp_send_ui_frame(llcp_sock, addr->dsap, addr->ssap, + msg, len); + goto out; } if (sk->sk_state != LLCP_CONNECTED) { - release_sock(sk); - return -ENOTCONN; + ret = -ENOTCONN; + goto out; } - release_sock(sk); + ret = nfc_llcp_send_i_frame(llcp_sock, msg, len); - return nfc_llcp_send_i_frame(llcp_sock, msg, len); +out: + release_sock(sk); + return ret; } static int llcp_sock_recvmsg(struct socket *sock, struct msghdr *msg, -- 2.42.0
Powered by blists - more mailing lists