mptcp: more strict state checking for acks

Syzkaller found a way to trigger division by zero in mptcp_subflow_cleanup_rbuf(). The current checks implemented into tcp_can_send_ack() are too week, let's be more accurate. Reported-by: Christoph Paasch <cpaasch@apple.com> Fixes: ea4ca586 ("mptcp: refine MPTCP-level ack scheduling") Fixes: fd897679 ("mptcp: be careful on MPTCP-level ack.") Signed-off-by: Paolo Abeni <pabeni@redhat.com> Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>

mptcp: more strict state checking for acks
Syzkaller found a way to trigger division by zero in mptcp_subflow_cleanup_rbuf(). The current checks implemented into tcp_can_send_ack() are too week, let's be more accurate. Reported-by: Christoph Paasch <cpaasch@apple.com> Fixes: ea4ca586 ("mptcp: refine MPTCP-level ack scheduling") Fixes: fd897679 ("mptcp: be careful on MPTCP-level ack.") Signed-off-by: Paolo Abeni <pabeni@redhat.com> Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
20bc80b6 · Paolo Abeni · Jakub Kicinski · ece9ab2a · 20bc80b6
Commit 20bc80b6 authored Jan 12, 2021 by Paolo Abeni Committed by Jakub Kicinski Jan 12, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

net/mptcp/protocol.c net/mptcp/protocol.c +1 -1

No files found.
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -427,7 +427,7 @@ static bool mptcp_subflow_active(struct mptcp_subflow_context *subflow)
 static bool tcp_can_send_ack(const struct sock *ssk)
 {
 	return !((1 << inet_sk_state_load(ssk)) &
-	       (TCPF_SYN_SENT | TCPF_SYN_RECV | TCPF_TIME_WAIT | TCPF_CLOSE));
+	       (TCPF_SYN_SENT | TCPF_SYN_RECV | TCPF_TIME_WAIT | TCPF_CLOSE | TCPF_LISTEN));
 }

 static void mptcp_send_ack(struct mptcp_sock *msk)