mptcp: Don't access write-queue unconditionally

When retransmitting ACKs with MP_JOIN, the write-queue is actually empty. Thus, we should not simply access it. Fixes: Zero-day bug Reported-by: Dejene Boru <dejene.boru@gmail.com> Signed-off-by: Christoph Paasch <cpaasch@apple.com> Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
multipath-tcp · May 29, 2019 · 8b30a23 · 8b30a23
1 parent b68eaaf
commit 8b30a23
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
@@ -173,8 +173,14 @@ bool retransmits_timed_out(struct sock *sk,
 		return false;
 
 	start_ts = tcp_sk(sk)->retrans_stamp;
-	if (unlikely(!start_ts))
-		start_ts = tcp_skb_timestamp(tcp_write_queue_head(sk));
+	if (unlikely(!start_ts)) {
+		struct sk_buff *skb = tcp_write_queue_head(sk);
+
+		if (!skb)
+			return false;
+
+		start_ts = tcp_skb_timestamp(skb);
+	}
 
 	if (likely(timeout == 0)) {
 		linear_backoff_thresh = ilog2(TCP_RTO_MAX/rto_base);