Commit c5c79763 authored May 29, 2020 by Paolo Abeni Committed by David S. Miller May 30, 2020

mptcp: remove msk from the token container at destruction time.



Currently we remote the msk from the token container only
via mptcp_close(). The MPTCP master socket can be destroyed
also via other paths (e.g. if not yet accepted, when shutting
down the listener socket). When we hit the latter scenario,
dangling msk references are left into the token container,
leading to memory corruption and/or UaF.

This change addresses the issue by moving the token removal
into the msk destructor.

Fixes: 79c0949e ("mptcp: Add key generation and token tree")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 10f6d46c

net/mptcp/protocol.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1263,7 +1263,6 @@ static void mptcp_close(struct sock *sk, long timeout)

		lock_sock(sk);

		mptcp_token_destroy(msk->token);
		inet_sk_state_store(sk, TCP_CLOSE);

		/* be sure to always acquire the join list lock, to sync vs
		@@ -1461,6 +1460,7 @@ static void mptcp_destroy(struct sock *sk)
		{
		struct mptcp_sock *msk = mptcp_sk(sk);

		mptcp_token_destroy(msk->token);
		if (msk->cached_ext)
		__skb_ext_put(msk->cached_ext);

Admin message