summaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorRémi Denis-Courmont <remi@remlab.net>2021-12-19 20:03:39 +0300
committerDavid S. Miller <davem@davemloft.net>2021-12-20 14:49:51 +0300
commit75a2f31520095600f650597c0ac41f48b5ba0068 (patch)
tree3bf4114fa31c3388547618e70e5191b9506de0a2 /net
parent662f11d55ffd02933e1bd275d732b97eddccf870 (diff)
downloadlinux-75a2f31520095600f650597c0ac41f48b5ba0068.tar.xz
phonet/pep: refuse to enable an unbound pipe
This ioctl() implicitly assumed that the socket was already bound to a valid local socket name, i.e. Phonet object. If the socket was not bound, two separate problems would occur: 1) We'd send an pipe enablement request with an invalid source object. 2) Later socket calls could BUG on the socket unexpectedly being connected yet not bound to a valid object. Reported-by: syzbot+2dc91e7fc3dea88b1e8a@syzkaller.appspotmail.com Signed-off-by: Rémi Denis-Courmont <remi@remlab.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/phonet/pep.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/phonet/pep.c b/net/phonet/pep.c
index b4f90afb0638..65d463ad8770 100644
--- a/net/phonet/pep.c
+++ b/net/phonet/pep.c
@@ -947,6 +947,8 @@ static int pep_ioctl(struct sock *sk, int cmd, unsigned long arg)
ret = -EBUSY;
else if (sk->sk_state == TCP_ESTABLISHED)
ret = -EISCONN;
+ else if (!pn->pn_sk.sobject)
+ ret = -EADDRNOTAVAIL;
else
ret = pep_sock_enable(sk, NULL, 0);
release_sock(sk);