Unverified Commit a74e7ec1 authored Jan 04, 2024 by openeuler-ci-bot Committed by Gitee Jan 04, 2024

!3686 Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg

Merge Pull Request from: @ci-robot 
 
PR sync from: Ziyang Xuan <william.xuanziyang@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/ESBDD3XU33FW2SY3JYV4J46YCAFXU7ZG/ 
 
https://gitee.com/src-openeuler/kernel/issues/I8RXOD 
 
Link:https://gitee.com/openeuler/kernel/pulls/3686

 

Reviewed-by: Yue Haibing <yuehaibing@huawei.com>
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>

parents 7af62ccc ff923ebb

net/bluetooth/af_bluetooth.c

+6 −1

Original line number	Diff line number	Diff line
		@@ -263,11 +263,14 @@ int bt_sock_recvmsg(struct socket sock, struct msghdr msg, size_t len,
		if (flags & MSG_OOB)
		return -EOPNOTSUPP;

		lock_sock(sk);

		skb = skb_recv_datagram(sk, flags, noblock, &err);
		if (!skb) {
		if (sk->sk_shutdown & RCV_SHUTDOWN)
		return 0;
		err = 0;

		release_sock(sk);
		return err;
		}

		@@ -293,6 +296,8 @@ int bt_sock_recvmsg(struct socket sock, struct msghdr msg, size_t len,

		skb_free_datagram(sk, skb);

		release_sock(sk);

		if (flags & MSG_TRUNC)
		copied = skblen;