Skip to content
This repository has been archived by the owner on Apr 18, 2024. It is now read-only.

Commit

Permalink
mptcp: Fix use-after-free in the redundant scheduler
Browse files Browse the repository at this point in the history 
There still is a use-after-free in the redundant scheduler. Just using
end_seq is definitely not enough. We need to make sure that the entire
skb is within snd_una -> snd_nxt.

Fixes: 9796f92 ("mptcp: Make sure only valid skb's are pointed to by the redundant scheduler")
Signed-off-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
(cherry picked from commit 7835e78)
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
(cherry picked from commit 7b2f536)
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
  • Loading branch information
@cpaasch @matttbe
cpaasch authored and matttbe committed Oct 21, 2021
1 parent 0732c14 commit d1c53d9
Showing 1 changed file with 5 additions and 2 deletions.
7 changes: 5 additions & 2 deletions net/mptcp/mptcp_redundant.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,10 @@
struct redsched_priv {
/* The skb or NULL */
struct sk_buff *skb;
/* End sequence number of the skb. This number should be checked
/* Start/end sequence number of the skb. This number should be checked
* to be valid before the skb field is used
*/
u32 skb_start_seq;
u32 skb_end_seq;
};

Expand Down Expand Up @@ -188,7 +189,7 @@ static void redsched_correct_skb_pointers(struct sock *meta_sk,
struct tcp_sock *meta_tp = tcp_sk(meta_sk);

if (red_p->skb &&
(!after(red_p->skb_end_seq, meta_tp->snd_una) ||
(!after(red_p->skb_start_seq, meta_tp->snd_una) ||
after(red_p->skb_end_seq, meta_tp->snd_nxt)))
red_p->skb = NULL;
}
Expand Down Expand Up @@ -306,6 +307,7 @@ static struct sk_buff *mptcp_red_next_segment(struct sock *meta_sk,
if (skb && redsched_use_subflow(meta_sk, active_valid_sks, tp,
skb)) {
red_p->skb = skb;
red_p->skb_start_seq = TCP_SKB_CB(skb)->seq;
red_p->skb_end_seq = TCP_SKB_CB(skb)->end_seq;
redsched_update_next_subflow(tp, red_cb);
*subsk = (struct sock *)tp;
Expand Down Expand Up @@ -333,6 +335,7 @@ static struct sk_buff *mptcp_red_next_segment(struct sock *meta_sk,
if (skb && redsched_use_subflow(meta_sk, active_valid_sks, tp,
skb)) {
red_p->skb = skb;
red_p->skb_start_seq = TCP_SKB_CB(skb)->seq;
red_p->skb_end_seq = TCP_SKB_CB(skb)->end_seq;
redsched_update_next_subflow(tp, red_cb);
*subsk = (struct sock *)tp;
Expand Down

0 comments on commit d1c53d9

Please sign in to comment.