From 9eba25268e5862571d53122065616c456fe1142a Mon Sep 17 00:00:00 2001 From: Krzysztof Mazur Date: Wed, 28 Nov 2012 09:08:04 +0100 Subject: [PATCH] br2684: allow assign only on a connected socket The br2684 does not check if used vcc is in connected state, causing potential Oops in pppoatm_send() when vcc->send() is called on not fully connected socket. Now br2684 can be assigned only on connected sockets; otherwise -EINVAL error is returned. Signed-off-by: Krzysztof Mazur Signed-off-by: David Woodhouse --- net/atm/br2684.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/net/atm/br2684.c b/net/atm/br2684.c index 6dc383c90262..403e71fa88fe 100644 --- a/net/atm/br2684.c +++ b/net/atm/br2684.c @@ -735,10 +735,13 @@ static int br2684_ioctl(struct socket *sock, unsigned int cmd, return -ENOIOCTLCMD; if (!capable(CAP_NET_ADMIN)) return -EPERM; - if (cmd == ATM_SETBACKEND) + if (cmd == ATM_SETBACKEND) { + if (sock->state != SS_CONNECTED) + return -EINVAL; return br2684_regvcc(atmvcc, argp); - else + } else { return br2684_create(argp); + } #ifdef CONFIG_ATM_BR2684_IPFILTER case BR2684_SETFILT: if (atmvcc->push != br2684_push) -- 2.20.1