Message ID | 156207955265.1655.13658692984261290810.stgit@warthog.procyon.org.uk |
---|---|
State | Accepted |
Delegated to: | David Miller |
Headers | show |
Series | [net] rxrpc: Fix send on a connected, but unbound socket | expand |
From: David Howells <dhowells@redhat.com> Date: Tue, 02 Jul 2019 15:59:12 +0100 > If sendmsg() or sendmmsg() is called on a connected socket that hasn't had > bind() called on it, then an oops will occur when the kernel tries to > connect the call because no local endpoint has been allocated. > > Fix this by implicitly binding the socket if it is in the > RXRPC_CLIENT_UNBOUND state, just like it does for the RXRPC_UNBOUND state. > > Further, the state should be transitioned to RXRPC_CLIENT_BOUND after this > to prevent further attempts to bind it. > > This can be tested with: ... > Leading to the following oops: ... > Fixes: 2341e0775747 ("rxrpc: Simplify connect() implementation and simplify sendmsg() op") > Reported-by: syzbot+7966f2a0b2c7da8939b4@syzkaller.appspotmail.com > Signed-off-by: David Howells <dhowells@redhat.com> > Reviewed-by: Marc Dionne <marc.dionne@auristor.com> Applied and queued up for -stable, thanks.
diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c index f9f4721cdfa7..d09eaf153544 100644 --- a/net/rxrpc/af_rxrpc.c +++ b/net/rxrpc/af_rxrpc.c @@ -545,6 +545,7 @@ static int rxrpc_sendmsg(struct socket *sock, struct msghdr *m, size_t len) switch (rx->sk.sk_state) { case RXRPC_UNBOUND: + case RXRPC_CLIENT_UNBOUND: rx->srx.srx_family = AF_RXRPC; rx->srx.srx_service = 0; rx->srx.transport_type = SOCK_DGRAM; @@ -569,10 +570,9 @@ static int rxrpc_sendmsg(struct socket *sock, struct msghdr *m, size_t len) } rx->local = local; - rx->sk.sk_state = RXRPC_CLIENT_UNBOUND; + rx->sk.sk_state = RXRPC_CLIENT_BOUND; /* Fall through */ - case RXRPC_CLIENT_UNBOUND: case RXRPC_CLIENT_BOUND: if (!m->msg_name && test_bit(RXRPC_SOCK_CONNECTED, &rx->flags)) {