When sendmsg() is called with the RXRPC_ACCEPT control message, sendmsg() shouldn't also be given an address in msg_name.
Signed-off-by: David Howells <dhowe...@redhat.com> --- net/rxrpc/ar-output.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/rxrpc/ar-output.c b/net/rxrpc/ar-output.c index b87fda075b45..044de9bf34a4 100644 --- a/net/rxrpc/ar-output.c +++ b/net/rxrpc/ar-output.c @@ -199,7 +199,8 @@ int rxrpc_do_sendmsg(struct rxrpc_sock *rx, struct msghdr *msg, size_t len) return ret; if (cmd == RXRPC_CMD_ACCEPT) { - if (rx->sk.sk_state != RXRPC_SERVER_LISTENING) + if (rx->sk.sk_state != RXRPC_SERVER_LISTENING || + msg->msg_name) return -EINVAL; call = rxrpc_accept_call(rx, user_call_ID); if (IS_ERR(call))