提交 4b5af441 编写于 作者: P Paolo Abeni 提交者: David S. Miller

mptcp: don't leak msk in token container

If a listening MPTCP socket has unaccepted sockets at close
time, the related msks are freed via mptcp_sock_destruct(),
which in turn does not invoke the proto->destroy() method
nor the mptcp_token_destroy() function.

Due to the above, the child msk socket is not removed from
the token container, leading to later UaF.

Address the issue explicitly removing the token even in the
above error path.

Fixes: 79c0949e ("mptcp: Add key generation and token tree")
Signed-off-by: NPaolo Abeni <pabeni@redhat.com>
Reviewed-by: NMatthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 5969856a
...@@ -393,6 +393,7 @@ static void mptcp_sock_destruct(struct sock *sk) ...@@ -393,6 +393,7 @@ static void mptcp_sock_destruct(struct sock *sk)
sock_orphan(sk); sock_orphan(sk);
} }
mptcp_token_destroy(mptcp_sk(sk)->token);
inet_sock_destruct(sk); inet_sock_destruct(sk);
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册