| Message ID | 8557847ae1d94d4b4cb4067407253011925c46f7.1613397714.git.geliangtang@gmail.com |
|---|---|
| State | Superseded, archived |
| Delegated to: | Mat Martineau |
| Headers | show |
On Mon, 15 Feb 2021, Geliang Tang wrote: > Fix the length of RM_ADDR suboption in mptcp_pm_rm_addr_signal. > > Signed-off-by: Geliang Tang <geliangtang@gmail.com> > --- > net/mptcp/pm.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/net/mptcp/pm.c b/net/mptcp/pm.c > index 32f203f186a2..8e97f90cbdec 100644 > --- a/net/mptcp/pm.c > +++ b/net/mptcp/pm.c > @@ -260,7 +260,7 @@ bool mptcp_pm_add_addr_signal(struct mptcp_sock *msk, unsigned int remaining, > bool mptcp_pm_rm_addr_signal(struct mptcp_sock *msk, unsigned int remaining, > struct mptcp_rm_list *rm_list) > { > - int ret = false; > + int ret = false, len; > > spin_lock_bh(&msk->pm.lock); > > @@ -268,7 +268,10 @@ bool mptcp_pm_rm_addr_signal(struct mptcp_sock *msk, unsigned int remaining, > if (!mptcp_pm_should_rm_signal(msk)) > goto out_unlock; > > - if (remaining < TCPOLEN_MPTCP_RM_ADDR_BASE) Thanks for catching that. > + len = mptcp_rm_addr_len(msk->pm.rm_list_tx); > + if (len < 0) > + goto out_unlock; Should this also clear msk->pm.addr_signal in this error case? Otherwise the bad rm_list will be stuck forever. We shouldn't really run in to this error path since it's our code setting rm_list_tx. > + if (remaining < len) > goto out_unlock; > > *rm_list = msk->pm.rm_list_tx; > -- > 2.29.2 -- Mat Martineau Intel
diff --git a/net/mptcp/pm.c b/net/mptcp/pm.c index 32f203f186a2..8e97f90cbdec 100644 --- a/net/mptcp/pm.c +++ b/net/mptcp/pm.c @@ -260,7 +260,7 @@ bool mptcp_pm_add_addr_signal(struct mptcp_sock *msk, unsigned int remaining, bool mptcp_pm_rm_addr_signal(struct mptcp_sock *msk, unsigned int remaining, struct mptcp_rm_list *rm_list) { - int ret = false; + int ret = false, len; spin_lock_bh(&msk->pm.lock); @@ -268,7 +268,10 @@ bool mptcp_pm_rm_addr_signal(struct mptcp_sock *msk, unsigned int remaining, if (!mptcp_pm_should_rm_signal(msk)) goto out_unlock; - if (remaining < TCPOLEN_MPTCP_RM_ADDR_BASE) + len = mptcp_rm_addr_len(msk->pm.rm_list_tx); + if (len < 0) + goto out_unlock; + if (remaining < len) goto out_unlock; *rm_list = msk->pm.rm_list_tx;
Fix the length of RM_ADDR suboption in mptcp_pm_rm_addr_signal. Signed-off-by: Geliang Tang <geliangtang@gmail.com> --- net/mptcp/pm.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)