[PATCH openEuler-1.0-LTS 2/4] nfc: llcp: nullify llcp_sock->dev on connect() error paths

31 Jul 2023

From: Krzysztof Kozlowski krzysztof.kozlowski@canonical.com
mainline inclusion
from mainline-v5.18-rc1
commit 13a3585b264bfeba018941a713b8d7fc9b8221a2
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7NLJR
CVE: CVE-2023-3863
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
---------------------------
Nullify the llcp_sock->dev on llcp_sock_connect() error paths,
symmetrically to the code llcp_sock_bind().  The non-NULL value of
llcp_sock->dev is used in a few places to check whether the socket is
still valid.
There was no particular issue observed with missing NULL assignment in
connect() error path, however a similar case - in the bind() error path
- was triggereable.  That one was fixed in commit 4ac06a1e013c ("nfc:
fix NULL ptr dereference in llcp_sock_getname() after failed connect"),
so the change here seems logical as well.
Signed-off-by: Krzysztof Kozlowski krzysztof.kozlowski@canonical.com
Signed-off-by: David S. Miller davem@davemloft.net
Signed-off-by: Ziyang Xuan william.xuanziyang@huawei.com
---
 net/nfc/llcp_sock.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 2162644a37e9..5c730830e9db 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -776,6 +776,7 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
    llcp_sock->local = NULL;
put_dev:
+	llcp_sock->dev = NULL;
    nfc_put_device(dev);
error:
-- 
2.25.1


    

2024

2023

2022

2021

2020

2019

[PATCH openEuler-1.0-LTS 2/4] nfc: llcp: nullify llcp_sock->dev on connect() error paths