!10661 fix CVE-2024-41062 (cc64d5dc) · Commits · EulixOS / Software / Kernel

net/bluetooth/l2cap_core.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -7757,6 +7757,8 @@ static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,

		BT_DBG("chan %p, len %d", chan, skb->len);

		l2cap_chan_lock(chan);

		if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
		goto drop;

		@@ -7773,6 +7775,7 @@ static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
		}

		drop:
		l2cap_chan_unlock(chan);
		l2cap_chan_put(chan);
		free_skb:
		kfree_skb(skb);

+9 −1

Original line number	Diff line number	Diff line
		@@ -1238,6 +1238,10 @@ static void l2cap_sock_kill(struct sock *sk)

		BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));

		/* Sock is dead, so set chan data to NULL, avoid other task use invalid
		* sock pointer.
		*/
		l2cap_pi(sk)->chan->data = NULL;
		/* Kill poor orphan */

		l2cap_chan_put(l2cap_pi(sk)->chan);
		@@ -1480,9 +1484,13 @@ static struct l2cap_chan l2cap_sock_new_connection_cb(struct l2cap_chan chan)

		static int l2cap_sock_recv_cb(struct l2cap_chan chan, struct sk_buff skb)
		{
		struct sock *sk = chan->data;
		struct sock *sk;
		int err;

		sk = chan->data;
		if (!sk)
		return -ENXIO;

		lock_sock(sk);

		if (l2cap_pi(sk)->rx_busy_skb) {