Skip to content

Commit

Permalink
phonet/pep: refuse to enable an unbound pipe
Browse files Browse the repository at this point in the history 
commit 75a2f31 upstream.

This ioctl() implicitly assumed that the socket was already bound to
a valid local socket name, i.e. Phonet object. If the socket was not
bound, two separate problems would occur:

1) We'd send an pipe enablement request with an invalid source object.
2) Later socket calls could BUG on the socket unexpectedly being
   connected yet not bound to a valid object.

Reported-by: syzbot+2dc91e7fc3dea88b1e8a@syzkaller.appspotmail.com
Signed-off-by: Rémi Denis-Courmont <remi@remlab.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  • Loading branch information
Rémi Denis-Courmont authored and Greg Kroah-Hartman committed Dec 29, 2021
1 parent b68f41c commit 982b6ba
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions net/phonet/pep.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -959,6 +959,8 @@ static int pep_ioctl(struct sock *sk, int cmd, unsigned long arg)
ret = -EBUSY;
else if (sk->sk_state == TCP_ESTABLISHED)
ret = -EISCONN;
else if (!pn->pn_sk.sobject)
ret = -EADDRNOTAVAIL;
else
ret = pep_sock_enable(sk, NULL, 0);
release_sock(sk);
Expand Down

0 comments on commit 982b6ba

Please sign in to comment.