Skip to content

Commit

Permalink
mptcp: don't leak msk in token container
Browse files Browse the repository at this point in the history 
If a listening MPTCP socket has unaccepted sockets at close
time, the related msks are freed via mptcp_sock_destruct(),
which in turn does not invoke the proto->destroy() method
nor the mptcp_token_destroy() function.

Due to the above, the child msk socket is not removed from
the token container, leading to later UaF.

Address the issue explicitly removing the token even in the
above error path.

Fixes: 79c0949 ("mptcp: Add key generation and token tree")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
@davem330
Paolo Abeni authored and davem330 committed Jun 10, 2020
1 parent 5969856 commit 4b5af44
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions net/mptcp/subflow.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -393,6 +393,7 @@ static void mptcp_sock_destruct(struct sock *sk)
sock_orphan(sk);
}

mptcp_token_destroy(mptcp_sk(sk)->token);
inet_sock_destruct(sk);
}

Expand Down

0 comments on commit 4b5af44

Please sign in to comment.