diff options
| author | Ilia Gavrilov <Ilia.Gavrilov@infotecs.ru> | 2025-05-15 12:20:15 +0000 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-06-04 14:32:35 +0200 |
| commit | 7ff230d85352bc66a2cbf6f162ee3351f30ca80f (patch) | |
| tree | 87719189f92eb66c3e3032cd5fd180241d26908a | |
| parent | c0e05a76fc727929524ef24a19c302e6dd40233f (diff) | |
llc: fix data loss when reading from a socket in llc_ui_recvmsg()
commit 239af1970bcb039a1551d2c438d113df0010c149 upstream.
For SOCK_STREAM sockets, if user buffer size (len) is less
than skb size (skb->len), the remaining data from skb
will be lost after calling kfree_skb().
To fix this, move the statement for partial reading
above skb deletion.
Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org)
Fixes: 30a584d944fb ("[LLX]: SOCK_DGRAM interface fixes")
Cc: stable@vger.kernel.org
Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov@infotecs.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | net/llc/af_llc.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c index d57bfce94d60..390fcbe885b1 100644 --- a/net/llc/af_llc.c +++ b/net/llc/af_llc.c @@ -885,15 +885,15 @@ static int llc_ui_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, if (sk->sk_type != SOCK_STREAM) goto copy_uaddr; + /* Partial read */ + if (used + offset < skb_len) + continue; + if (!(flags & MSG_PEEK)) { skb_unlink(skb, &sk->sk_receive_queue); kfree_skb(skb); *seq = 0; } - - /* Partial read */ - if (used + offset < skb_len) - continue; } while (len > 0); out: |