• Florian Westphal's avatar
    mptcp: fix use-after-free for ipv6 · b0519de8
    Florian Westphal authored
    Turns out that when we accept a new subflow, the newly created
    inet_sk(tcp_sk)->pinet6 points at the ipv6_pinfo structure of the
    listener socket.
    
    This wasn't caught by the selftest because it closes the accepted fd
    before the listening one.
    
    adding a close(listenfd) after accept returns is enough:
     BUG: KASAN: use-after-free in inet6_getname+0x6ba/0x790
     Read of size 1 at addr ffff88810e310866 by task mptcp_connect/2518
     Call Trace:
      inet6_getname+0x6ba/0x790
      __sys_getpeername+0x10b/0x250
      __x64_sys_getpeername+0x6f/0xb0
    
    also alter test program to exercise this.
    Reported-by: default avatarChristoph Paasch <cpaasch@apple.com>
    Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    b0519de8
protocol.c 28.9 KB