af_rxrpc: Avoid setting up double-free on checksum error

[deliverable/linux.git] / net / rxrpc / ar-recvmsg.c

diff --git a/net/rxrpc/ar-recvmsg.c b/net/rxrpc/ar-recvmsg.c
index 4b48687c3890fc64c186b797181062a4cc9ac4fa..64cba2e35156adaa23ec24c5fb67657136172945 100644 (file)
--- a/net/rxrpc/ar-recvmsg.c
+++ b/net/rxrpc/ar-recvmsg.c
@@ -143,10 +143,13 @@ int rxrpc_recvmsg(struct kiocb *iocb, struct socket *sock,
 
                /* copy the peer address and timestamp */
                if (!continue_call) {
-                       if (msg->msg_name && msg->msg_namelen > 0)
+                       if (msg->msg_name) {
+                               size_t len =
+                                       sizeof(call->conn->trans->peer->srx);
                                memcpy(msg->msg_name,
-                                      &call->conn->trans->peer->srx,
-                                      sizeof(call->conn->trans->peer->srx));
+                                      &call->conn->trans->peer->srx, len);
+                               msg->msg_namelen = len;
+                       }
                        sock_recv_ts_and_drops(msg, &rx->sk, skb);
                }
 
@@ -350,6 +353,10 @@ csum_copy_error:
        if (continue_call)
                rxrpc_put_call(continue_call);
        rxrpc_kill_skb(skb);
+       if (!(flags & MSG_PEEK)) {
+               if (skb_dequeue(&rx->sk.sk_receive_queue) != skb)
+                       BUG();
+       }
        skb_kill_datagram(&rx->sk, skb, flags);
        rxrpc_put_call(call);
        return -EAGAIN;