From: Paolo Abeni <pabeni@redhat.com>
Date: Wed, 10 Jun 2020 08:49:00 +0000 (+0200)
Subject: mptcp: don't leak msk in token container
X-Git-Tag: v5.7.3~57
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=513c4ffa0dd26cb8935c3cb1278d6fdecc73f886;p=users%2Fdwmw2%2Flinux.git

mptcp: don't leak msk in token container

[ Upstream commit 4b5af44129d0653a4df44e5511c7d480c61c8f3c ]

If a listening MPTCP socket has unaccepted sockets at close
time, the related msks are freed via mptcp_sock_destruct(),
which in turn does not invoke the proto->destroy() method
nor the mptcp_token_destroy() function.

Due to the above, the child msk socket is not removed from
the token container, leading to later UaF.

Address the issue explicitly removing the token even in the
above error path.

Fixes: 79c0949e9a09 ("mptcp: Add key generation and token tree")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
index 8968b2c065e7c..e6feb05a93dc3 100644
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -393,6 +393,7 @@ static void mptcp_sock_destruct(struct sock *sk)
 		sock_orphan(sk);
 	}
 
+	mptcp_token_destroy(mptcp_sk(sk)->token);
 	inet_sock_destruct(sk);
 }