NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg()

[cascardo/linux.git] / net / nfc / llcp / sock.c

diff --git a/net/nfc/llcp/sock.c b/net/nfc/llcp/sock.c
index 5332751..6c94447 100644 (file)
--- a/net/nfc/llcp/sock.c
+++ b/net/nfc/llcp/sock.c
@@ -270,7 +270,9 @@ struct sock *nfc_llcp_accept_dequeue(struct sock *parent,
                }
 
                if (sk->sk_state == LLCP_CONNECTED || !newsock) {
-                       nfc_llcp_accept_unlink(sk);
+                       list_del_init(&lsk->accept_queue);
+                       sock_put(sk);
+
                        if (newsock)
                                sock_graft(sk, newsock);
 
@@ -278,6 +280,8 @@ struct sock *nfc_llcp_accept_dequeue(struct sock *parent,
 
                        pr_debug("Returning sk state %d\n", sk->sk_state);
 
+                       sk_acceptq_removed(parent);
+
                        return sk;
                }
 
@@ -462,8 +466,6 @@ static int llcp_sock_release(struct socket *sock)
                        nfc_llcp_accept_unlink(accept_sk);
 
                        release_sock(accept_sk);
-
-                       sock_orphan(accept_sk);
                }
        }
 
@@ -644,6 +646,8 @@ static int llcp_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
 
        pr_debug("%p %zu\n", sk, len);
 
+       msg->msg_namelen = 0;
+
        lock_sock(sk);
 
        if (sk->sk_state == LLCP_CLOSED &&
@@ -689,6 +693,7 @@ static int llcp_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
 
                pr_debug("Datagram socket %d %d\n", ui_cb->dsap, ui_cb->ssap);
 
+               memset(sockaddr, 0, sizeof(*sockaddr));
                sockaddr->sa_family = AF_NFC;
                sockaddr->nfc_protocol = NFC_PROTO_NFC_DEP;
                sockaddr->dsap = ui_cb->dsap;