Unverified Commit f4268b46 authored by Lee Jones's avatar Lee Jones Committed by David Heidelberg
Browse files

nfc: llcp: Fix use-after-free in llcp_sock_release() 



llcp_sock_release() unconditionally unlinks the socket from the local
sockets list.  However, if the socket is still in connecting state, it
is on the connecting list.

Fix this by checking the socket state and unlinking from the correct list.

Fixes: b4011239 ("NFC: llcp: Fix non blocking sockets connections")
Signed-off-by: default avatarLee Jones <lee@kernel.org>
Link: https://patch.msgid.link/20260429134115.3558604-1-lee@kernel.org


Signed-off-by: default avatarDavid Heidelberg <david@ixit.cz>
parent 7fd2df20

net/nfc/llcp_sock.c

+2 −0
Original line number Diff line number Diff line
@@ -633,6 +633,8 @@ static int llcp_sock_release(struct socket *sock) 


	if (sock->type == SOCK_RAW)

		nfc_llcp_sock_unlink(&local->raw_sockets, sk);

	else if (sk->sk_state == LLCP_CONNECTING)

		nfc_llcp_sock_unlink(&local->connecting_sockets, sk);

	else

		nfc_llcp_sock_unlink(&local->sockets, sk);