diff options
| author | Breno Leitao <leitao@debian.org> | 2026-05-21 07:32:09 -0700 |
|---|---|---|
| committer | David Heidelberg <david@ixit.cz> | 2026-05-29 12:52:04 +0200 |
| commit | 929173aaa7a8912ab770c373a13edac6ca7af40f (patch) | |
| tree | 29d331a58c323d64283590e2e48ae891acfd0d61 /net | |
| parent | f23bf992d65a42007c517b060ca35cebdea3525a (diff) | |
| download | linux-next-history-929173aaa7a8912ab770c373a13edac6ca7af40f.tar.gz | |
nfc: llcp: avoid userspace overflow on invalid optlen
nfc_llcp_getsockopt() casts optval to (u32 __user *) for put_user(), so
the kernel always stores 4 bytes regardless of the caller-supplied
optlen. The existing min_t(u32, len, sizeof(u32)) only clamps the length
reported back to userspace; it does not constrain the store. A call with
optlen < 4 therefore writes past the user buffer, violating the
getsockopt(2) contract for all five supported optnames.
Reject any call with optlen < sizeof(u32) up front. 'len' is int, so a
plain size comparison would promote a negative optlen to size_t and slip
past the check; an explicit 'len < 0' test is added first to catch
negative values before the size compare.
Fixes: 26fd76cab2e6 ("NFC: llcp: Implement socket options")
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260521-fix_llc-v2-1-ab44cc09179c@debian.org
Signed-off-by: David Heidelberg <david@ixit.cz>
Diffstat (limited to 'net')
| -rw-r--r-- | net/nfc/llcp_sock.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index feab29fc62f44..4b162df0c3fcb 100644 --- a/net/nfc/llcp_sock.c +++ b/net/nfc/llcp_sock.c @@ -319,6 +319,12 @@ static int nfc_llcp_getsockopt(struct socket *sock, int level, int optname, if (get_user(len, optlen)) return -EFAULT; + if (len < 0) + return -EINVAL; + + if (len < sizeof(u32)) + return -EINVAL; + local = llcp_sock->local; if (!local) return -ENODEV; |