Add SOCK_STREAM check into usbip_prepare_threads(), for current code is
not verifying that a file descriptor passed is actually a stream socket.
If the file descriptor passed was a SOCK_DGRAM socket, sock_recvmsg()
can't detect end of stream.
Tested-by: syzbot <syzbot+a93fba6d384346a761e3@xxxxxxxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
---
drivers/usb/usbip/usbip_common.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c
index 9f677c5a74e8..f80098c3dd10 100644
--- a/drivers/usb/usbip/usbip_common.c
+++ b/drivers/usb/usbip/usbip_common.c
@@ -762,6 +762,11 @@ int usbip_prepare_threads(struct usbip_thread_info *uti,
socket = sockfd_lookup(sockfd, &err);
if (!socket)
return -EINVAL;
+ /* Verify that this is a stream socket. */
+ if (socket->type != SOCK_STREAM) {
+ err = -EINVAL;
+ goto out_socket;
+ }
/* Create threads for this socket. */
rx = kthread_create(rx_fn, ud, rx_name);
if (IS_ERR(rx)) {
--
2.18.4
