On Thu, 21 May 2026 07:32:08 -0700, Breno Leitao wrote:
> nfc: llcp: two fixes for nfc_llcp_getsockopt()
>
> While converting the NFC LLCP socket layer to the new getsockopt_iter()
> API, I noticed that nfc_llcp_getsockopt() unconditionally stores four
> bytes through a (u32 __user *) cast regardless of the caller-supplied
> optlen, overflowing the user buffer when optlen < 4. Patch 1 adds an
> explicit length check (with a signed-int guard so a negative optlen
> cannot slip past it) and is what I originally sent as v1.
>
> [...]
Applied, thanks!
[1/2] nfc: llcp: avoid userspace overflow on invalid optlen
commit: 4daea11b40619f91a084db0271cfe095a82cf4be
[2/2] nfc: llcp: read llcp_sock->local under the socket lock in getsockopt
commit: 6a7c71fc20c71d1e41787a25a8b7485abb592e6c
Best regards,
--
David Heidelberg <[email protected]>
