llc_conn_handler() does not check the accept queue limit before creating a new socket for incoming connections. This allows an attacker to send a large number of SABME PDUs to exhaust system memory by creating unlimited sockets. The issue is similar to the TCP SYN flood problem, but LLC lacks the protection mechanisms that TCP has (like SYN cookies and accept queue limits). Add sk_acceptq_is_full() check before creating new socket and call sk_acceptq_added() after successful socket creation to properly track the accept queue length. This ensures that the backlog limit set by listen() is respected. Fixes: d389424e00f90 ("[LLC]: Fix the accept path") Signed-off-by: Kery Qi --- net/llc/llc_conn.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c index 5c0ac243b248..9296b5d6b04a 100644 --- a/net/llc/llc_conn.c +++ b/net/llc/llc_conn.c @@ -802,10 +802,15 @@ void llc_conn_handler(struct llc_sap *sap, struct sk_buff *skb) * in the newly created struct sock private area. -acme */ if (unlikely(sk->sk_state == TCP_LISTEN)) { - struct sock *newsk = llc_create_incoming_sock(sk, skb->dev, - &saddr, &daddr); + struct sock *newsk; + + if (sk_acceptq_is_full(sk)) + goto drop_unlock; + newsk = llc_create_incoming_sock(sk, skb->dev, + &saddr, &daddr); if (!newsk) goto drop_unlock; + sk_acceptq_added(sk); skb_set_owner_r(skb, newsk); } else { /* -- 2.34.1