commit 9eba25268e5862571d53122065616c456fe1142a
author Krzysztof Mazur <krzysiek@podlesie.net> Wed Nov 28 09:08:04 2012 +0100
committer David Woodhouse <David.Woodhouse@intel.com> Sun Dec 02 00:05:19 2012 +0000
tree 30c5053cd10de8dc4c75825d62f89e183e911247
parent 007ef52be171b9eee6f4099d3e5706e8068d31ef

br2684: allow assign only on a connected socket

The br2684 does not check if used vcc is in connected state,
causing potential Oops in pppoatm_send() when vcc->send() is called
on not fully connected socket.

Now br2684 can be assigned only on connected sockets; otherwise
-EINVAL error is returned.

Signed-off-by: Krzysztof Mazur <krzysiek@podlesie.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

net/atm/br2684.c

diff --git a/net/atm/br2684.c b/net/atm/br2684.c
index 6dc383c..403e71f 100644
--- a/net/atm/br2684.c
+++ b/net/atm/br2684.c
@@ -735,10 +735,13 @@
 			return -ENOIOCTLCMD;
 		if (!capable(CAP_NET_ADMIN))
 			return -EPERM;
-		if (cmd == ATM_SETBACKEND)
+		if (cmd == ATM_SETBACKEND) {
+			if (sock->state != SS_CONNECTED)
+				return -EINVAL;
 			return br2684_regvcc(atmvcc, argp);
-		else
+		} else {
 			return br2684_create(argp);
+		}
 #ifdef CONFIG_ATM_BR2684_IPFILTER
 	case BR2684_SETFILT:
 		if (atmvcc->push != br2684_push)