[net-next,7/9] subflow: explicitly check for plain tcp rsk

Message ID	d3e7a601036127035708ebe28359b8e0ad142b14.1594401165.git.pabeni@redhat.com
State	Accepted, archived
Delegated to:	Matthieu Baerts
Headers	show Return-Path: <mptcp-bounces@lists.01.org> Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=205.139.110.61; helo=us-smtp-delivery-1.mimecast.com; envelope-from=pabeni@redhat.com; receiver=<UNKNOWN> From: Paolo Abeni <pabeni@redhat.com> To: mptcp@lists.01.org Date: Fri, 10 Jul 2020 19:22:16 +0200 Message-Id: <d3e7a601036127035708ebe28359b8e0ad142b14.1594401165.git.pabeni@redhat.com> In-Reply-To: <cover.1594401165.git.pabeni@redhat.com> References: <cover.1594401165.git.pabeni@redhat.com> MIME-Version: 1.0 Message-ID-Hash: 6SSSMNX5Y5XQVGQD3FWBP333PEIROI5K Precedence: list Subject: [MPTCP] [PATCH net-next 7/9] subflow: explicitly check for plain tcp rsk Archived-At: <https://lists.01.org/hyperkitty/list/mptcp@lists.01.org/message/6SSSMNX5Y5XQVGQD3FWBP333PEIROI5K/> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit
Series	mptcp: cope better with mp_join storm \| expand [net-next,0/9] mptcp: cope better with mp_join storm [net-next,1/9] subflow: always init 'rel_write_seq' [net-next,2/9] mptcp: avoid data corruption on reinsert [net-next,3/9] mptcp: mark as fallback even early ones [net-next,4/9] mptcp: zero token hash at creation time. [net-next,5/9] mptcp: make msk established at remote key reception time [net-next,6/9] mptcp: cleanup subflow_finish_connect() [net-next,7/9] subflow: explicitly check for plain tcp rsk [net-next,8/9] subflow: use rsk_ops->send_reset() [net-next,9/9] subflow: introduce and use mptcp_can_accept_new_subflow()

Message ID

d3e7a601036127035708ebe28359b8e0ad142b14.1594401165.git.pabeni@redhat.com

State

Accepted, archived

Delegated to:

Matthieu Baerts

Headers

Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=205.139.110.61;
 helo=us-smtp-delivery-1.mimecast.com; envelope-from=pabeni@redhat.com;
 receiver=<UNKNOWN> 
From: Paolo Abeni <pabeni@redhat.com>
To: mptcp@lists.01.org
Date: Fri, 10 Jul 2020 19:22:16 +0200
Message-Id: 
 <d3e7a601036127035708ebe28359b8e0ad142b14.1594401165.git.pabeni@redhat.com>
In-Reply-To: <cover.1594401165.git.pabeni@redhat.com>
References: <cover.1594401165.git.pabeni@redhat.com>
MIME-Version: 1.0
Message-ID-Hash: 6SSSMNX5Y5XQVGQD3FWBP333PEIROI5K
Precedence: list
Subject: [MPTCP] [PATCH net-next 7/9] subflow: explicitly check for plain tcp
 rsk
Archived-At: 
 <https://lists.01.org/hyperkitty/list/mptcp@lists.01.org/message/6SSSMNX5Y5XQVGQD3FWBP333PEIROI5K/>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Series

mptcp: cope better with mp_join storm | expand

Commit Message

Paolo Abeni July 10, 2020, 5:22 p.m. UTC

When syncookie are in use, the TCP stack may feed into
subflow_syn_recv_sock() plain TCP request sockets. We can't
access mptcp_subflow_request_sock-specific fields on such
sockets. Explicitly check the rsk ops to do safe accesses.

Signed-off-by: Paolo Abeni <pabeni@redhat.com>
---
Note: this fixes an slab-out-of-bounds on syncookied
MP_JOIN req, but handling of such req is still problematic:
we relay on the client closing the socket before the 3rd
ack, otherwise the client socket will be created as plain
TCP one - and again client will have to close it.
---
 net/mptcp/subflow.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
index 90857d5da216..8eaf9eb8a29b 100644
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -417,7 +417,7 @@  static struct sock *subflow_syn_recv_sock(const struct sock *sk,
 
 	/* hopefully temporary handling for MP_JOIN+syncookie */
 	subflow_req = mptcp_subflow_rsk(req);
-	fallback_is_fatal = subflow_req->mp_join;
+	fallback_is_fatal = tcp_rsk(req)->is_mptcp && subflow_req->mp_join;
 	fallback = !tcp_rsk(req)->is_mptcp;
 	if (fallback)
 		goto create_child;

[net-next,7/9] subflow: explicitly check for plain tcp rsk

Commit Message

Patch