From: Kery Qi <qikeyu2017@gmail.com>
To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com
Cc: horms@kernel.org, mingo@kernel.org, tglx@kernel.org,
acme@mandriva.com, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, Kery Qi <qikeyu2017@gmail.com>
Subject: [PATCH] llc: fix resource exhaustion in llc_conn_handler()
Date: Sat, 24 Jan 2026 04:22:11 +0800 [thread overview]
Message-ID: <20260123202211.2082-2-qikeyu2017@gmail.com> (raw)
llc_conn_handler() does not check the accept queue limit before
creating a new socket for incoming connections. This allows an
attacker to send a large number of SABME PDUs to exhaust system
memory by creating unlimited sockets.
The issue is similar to the TCP SYN flood problem, but LLC lacks
the protection mechanisms that TCP has (like SYN cookies and
accept queue limits).
Add sk_acceptq_is_full() check before creating new socket and
call sk_acceptq_added() after successful socket creation to
properly track the accept queue length. This ensures that the
backlog limit set by listen() is respected.
Fixes: d389424e00f90 ("[LLC]: Fix the accept path")
Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
---
net/llc/llc_conn.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
index 5c0ac243b248..9296b5d6b04a 100644
--- a/net/llc/llc_conn.c
+++ b/net/llc/llc_conn.c
@@ -802,10 +802,15 @@ void llc_conn_handler(struct llc_sap *sap, struct sk_buff *skb)
* in the newly created struct sock private area. -acme
*/
if (unlikely(sk->sk_state == TCP_LISTEN)) {
- struct sock *newsk = llc_create_incoming_sock(sk, skb->dev,
- &saddr, &daddr);
+ struct sock *newsk;
+
+ if (sk_acceptq_is_full(sk))
+ goto drop_unlock;
+ newsk = llc_create_incoming_sock(sk, skb->dev,
+ &saddr, &daddr);
if (!newsk)
goto drop_unlock;
+ sk_acceptq_added(sk);
skb_set_owner_r(skb, newsk);
} else {
/*
--
2.34.1
next reply other threads:[~2026-01-23 20:24 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-23 20:22 Kery Qi [this message]
2026-01-25 21:59 ` llc: fix resource exhaustion in llc_conn_handler() Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260123202211.2082-2-qikeyu2017@gmail.com \
--to=qikeyu2017@gmail.com \
--cc=acme@mandriva.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=tglx@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox