linux/net
Paolo Abeni d3ab78858f mptcp: fix NULL ptr dereference on bad MPJ
If an msk listener receives an MPJ carrying an invalid token, it
will zero the request socket msk entry. That should later
cause fallback and subflow reset - as per RFC - at
subflow_syn_recv_sock() time due to failing hmac validation.

Since commit 4cf8b7e48a ("subflow: introduce and use
mptcp_can_accept_new_subflow()"), we unconditionally dereference
- in mptcp_can_accept_new_subflow - the subflow request msk
before performing hmac validation. In the above scenario we
hit a NULL ptr dereference.

Address the issue doing the hmac validation earlier.

Fixes: 4cf8b7e48a ("subflow: introduce and use mptcp_can_accept_new_subflow()")
Tested-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Link: https://lore.kernel.org/r/03b2cfa3ac80d8fc18272edc6442a9ddf0b1e34e.1606400227.git.pabeni@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2020-11-27 11:05:31 -08:00
..
6lowpan treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
9p net: 9p: initialize sun_server.sun_path to have addr's value only when addr is valid 2020-10-12 10:05:47 +02:00
802
8021q net: vlan: Fixed signedness in vlan_group_prealloc_vid() 2020-09-28 00:51:39 -07:00
appletalk appletalk: Fix atalk_proc_init() return path 2020-08-03 15:48:32 -07:00
atm net: atm: fix update of position index in lec_seq_next 2020-10-31 12:26:30 -07:00
ax25 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-07-25 17:49:04 -07:00
batman-adv batman-adv: set .owner to THIS_MODULE 2020-11-15 11:43:56 +01:00
bluetooth Bluetooth: Replace zero-length array with flexible-array member 2020-10-29 17:22:59 -05:00
bpf bpf: fix raw_tp test run in preempt kernel 2020-09-30 08:34:08 -07:00
bpfilter Revert "bpfilter: Fix build error with CONFIG_BPFILTER_UMH" 2020-10-15 12:33:24 -07:00
bridge net: bridge: add missing counters to ndo_get_stats64 callback 2020-11-16 15:47:50 -08:00
caif caif: Remove duplicate macro SRVL_CTRL_PKT_SIZE 2020-09-05 15:57:05 -07:00
can can: af_can: prevent potential access of uninitialized member in canfd_rcv() 2020-11-15 18:24:33 +01:00
ceph libceph: clear con->out_msg on Policy::stateful_server faults 2020-10-12 15:29:27 +02:00
core devlink: Make sure devlink instance and port are in same net namespace 2020-11-25 17:26:34 -08:00
dcb net: DCB: Validate DCB_ATTR_DCB_BUFFER argument 2020-09-10 15:09:08 -07:00
dccp tcp: fix race condition when creating child sockets from syncookies 2020-11-23 16:32:33 -08:00
decnet treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
dns_resolver
dsa net: dsa: tag_ksz: KSZ8795 and KSZ9477 also use tail tags 2020-10-19 17:32:50 -07:00
ethernet
ethtool ethtool: netlink: add missing netdev_features_change() call 2020-11-09 17:15:34 -08:00
hsr genetlink: move to smaller ops wherever possible 2020-10-02 19:11:11 -07:00
ieee802154 genetlink: move to smaller ops wherever possible 2020-10-02 19:11:11 -07:00
ife
ipv4 tcp: Set ECT0 bit in tos/tclass for synack when BPF needs ECN 2020-11-24 14:12:55 -08:00
ipv6 ipv6: addrlabel: fix possible memory leak in ip6addrlbl_net_init 2020-11-25 11:20:16 -08:00
iucv net/af_iucv: set correct sk_protocol for child sockets 2020-11-21 14:43:45 -08:00
kcm net: pass a sockptr_t into ->setsockopt 2020-07-24 15:41:54 -07:00
key Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-08-02 01:02:12 -07:00
l2tp genetlink: move to smaller ops wherever possible 2020-10-02 19:11:11 -07:00
l3mdev net: Fix some comments 2020-08-27 07:55:59 -07:00
lapb treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
llc net: pass a sockptr_t into ->setsockopt 2020-07-24 15:41:54 -07:00
mac80211 mac80211: free sta in sta_info_insert_finish() on errors 2020-11-13 09:48:32 +01:00
mac802154 Merge tag 'ieee802154-for-davem-2020-09-08' of git://git.kernel.org/pub/scm/linux/kernel/git/sschmidt/wpan 2020-09-08 20:12:58 -07:00
mpls mpls: load mpls_gso after mpls_iptunnel 2020-10-20 21:16:45 -07:00
mptcp mptcp: fix NULL ptr dereference on bad MPJ 2020-11-27 11:05:31 -08:00
ncsi net/ncsi: Fix netlink registration 2020-11-12 17:00:13 -08:00
netfilter netfilter: ipset: Update byte and packet counters regardless of whether they match 2020-10-31 11:11:11 +01:00
netlabel netlabel: fix an uninitialized warning in netlbl_unlabel_staticlist() 2020-11-14 12:07:57 -08:00
netlink netlink: export policy in extended ACK 2020-10-09 20:22:32 -07:00
netrom treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
nfc nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() 2020-10-20 17:06:22 -07:00
nsh treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
openvswitch net: openvswitch: fix TTL decrement action netlink message format 2020-11-27 11:03:06 -08:00
packet net/packet: fix packet receive on L3 devices without visible hard header 2020-11-23 17:29:36 -08:00
phonet treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
psample genetlink: move to smaller ops wherever possible 2020-10-02 19:11:11 -07:00
qrtr net: qrtr: ns: Fix the incorrect usage of rcu_read_lock() 2020-10-06 06:01:35 -07:00
rds RDMA: Add rdma_connect_locked() 2020-10-28 09:14:49 -03:00
rfkill rfkill: Fix use-after-free in rfkill_resume() 2020-11-12 09:18:06 +01:00
rose rose: Fix Null pointer dereference in rose_send_frame() 2020-11-20 10:04:58 -08:00
rxrpc rxrpc: Fix loss of final ack on shutdown 2020-10-15 13:28:00 +01:00
sched netem: fix zero division in tabledist 2020-10-29 11:45:47 -07:00
sctp sctp: change to hold/put transport for proto_unreach_timer 2020-11-14 11:57:12 -08:00
smc net/smc: fix direct access to ib_gid_addr->ndev in smc_ib_determine_gid() 2020-11-19 10:59:19 -08:00
strparser
sunrpc net/sunrpc: fix useless comparison in proc_do_xprt() 2020-11-08 16:28:25 -05:00
switchdev net: switchdev: Fixed kerneldoc warning 2020-09-23 17:46:31 -07:00
tipc tipc: fix memory leak in tipc_topsrv_start() 2020-11-11 14:39:23 -08:00
tls net/tls: Protect from calling tls_dev_del for TLS RX twice 2020-11-25 17:31:06 -08:00
unix networking changes for the 5.10 merge window 2020-10-15 18:42:13 -07:00
vmw_vsock vsock/virtio: discard packets only when socket is really closed 2020-11-23 16:36:29 -08:00
wimax genetlink: move to smaller ops wherever possible 2020-10-02 19:11:11 -07:00
wireless cfg80211: regulatory: Fix inconsistent format argument 2020-10-30 10:06:56 +01:00
x25 net: x25: Increase refcnt of "struct x25_neigh" in x25_rx_call_request 2020-11-12 18:01:40 -08:00
xdp xsk: Fix possible memory leak at socket close 2020-10-29 15:19:56 +01:00
xfrm Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2020-11-04 08:12:52 -08:00
compat.c iov_iter: transparently handle compat iovecs in import_iovec 2020-10-03 00:02:13 -04:00
devres.c net: devres: rename the release callback of devm_register_netdev() 2020-06-30 15:57:34 -07:00
Kconfig drop_monitor: Convert to using devlink tracepoint 2020-09-30 18:01:26 -07:00
Makefile
socket.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-10-05 18:40:01 -07:00
sysctl_net.c