mptcp: Make sure that inside_tk_table is 0 when creating a TCP-socket

We only set it to 0 inside MPTCP-functions. But that is way too late... TCP-creation might fail earlier and then we end up in the destroy-function thinking that the subflow is "inside_tk_table". So, we remove it and will end up corrupting the hlist. Fixes: Zero-day bug Signed-off-by: Christoph Paasch <cpaasch@apple.com> Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net> (cherry picked from commit a794fa3) Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net> (cherry picked from commit b864616) Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
multipath-tcp · Feb 17, 2020 · e00f7a7 · e00f7a7
1 parent f81f166
commit e00f7a7
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
@@ -577,6 +577,7 @@ struct sock *tcp_create_openreq_child(const struct sock *sk,
 		newtp->syn_data_acked = 0;
 		newtp->rack.mstamp = 0;
 		newtp->rack.advanced = 0;
+		newtp->inside_tk_table = 0;
 
 		__TCP_INC_STATS(sock_net(sk), TCP_MIB_PASSIVEOPENS);
 	}

diff --git a/net/mptcp/mptcp_ctrl.c b/net/mptcp/mptcp_ctrl.c
@@ -1125,6 +1125,7 @@ static int mptcp_alloc_mpcb(struct sock *meta_sk, __u64 remote_key,
 		goto err_alloc_master;
 
 	master_tp = tcp_sk(master_sk);
+	master_tp->inside_tk_table = 0;
 
 	mpcb = kmem_cache_zalloc(mptcp_cb_cache, GFP_ATOMIC);
 	if (!mpcb)
@@ -1195,7 +1196,6 @@ static int mptcp_alloc_mpcb(struct sock *meta_sk, __u64 remote_key,
 		local_bh_enable();
 		rcu_read_unlock();
 	}
-	master_tp->inside_tk_table = 0;
 
 #if IS_ENABLED(CONFIG_IPV6)
 	if (meta_icsk->icsk_af_ops == &mptcp_v6_mapped) {
@@ -2175,7 +2175,6 @@ struct sock *mptcp_check_req_child(struct sock *meta_sk,
 	struct mptcp_cb *mpcb = tcp_sk(meta_sk)->mpcb;
 	u8 hash_mac_check[20];
 
-	child_tp->out_of_order_queue = RB_ROOT;
 	child_tp->inside_tk_table = 0;
 
 	if (!mopt->join_ack) {