mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()
mainline inclusion
from mainline-v6.8-rc1
commit be1d9d9d38da922bd4beeec5b6dd821ff5a1dfeb
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q9D1
CVE: CVE-2024-35840
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=be1d9d9d38da922bd4beeec5b6dd821ff5a1dfeb
--------------------------------
subflow_finish_connect() uses four fields (backup, join_id, thmac, none)
that may contain garbage unless OPTION_MPTCP_MPJ_SYNACK has been set
in mptcp_parse_option()
Fixes: f296234c98a8 ("mptcp: Add handling of incoming MP_JOIN requests")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Florian Westphal <fw@strlen.de>
Cc: Peter Krystad <peter.krystad@linux.intel.com>
Cc: Matthieu Baerts <matttbe@kernel.org>
Cc: Mat Martineau <martineau@kernel.org>
Cc: Geliang Tang <geliang.tang@linux.dev>
Reviewed-by: Simon Horman <horms@kernel.org>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Link: https://lore.kernel.org/r/20240111194917.4044654-4-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Conflicts:
net/mptcp/options.c
net/mptcp/protocol.h
net/mptcp/subflow.c
[The introduction of suboptions is from commit 74c7dfbee3e1, and
OPTION_MPTCP_MPJ_SYNACK assignment of suboptions is from commit 89e23277f9c1.
Just focus on OPTION_MPTCP_MPJ_SYNACK related logic.]
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
(cherry picked from commit 964bc2774b1c3f48f480dcb3bf05e58f3af67cdb)
diff --git a/net/mptcp/options.c b/net/mptcp/options.c
index 2cc80a0..501011b 100644
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -113,6 +113,7 @@ static void mptcp_parse_option(const struct sk_buff *skb,
mp_opt->backup, mp_opt->join_id,
mp_opt->token, mp_opt->nonce);
} else if (opsize == TCPOLEN_MPTCP_MPJ_SYNACK) {
+ mp_opt->suboptions |= OPTION_MPTCP_MPJ_SYNACK;
mp_opt->backup = *ptr++ & MPTCPOPT_BACKUP;
mp_opt->join_id = *ptr++;
mp_opt->thmac = get_unaligned_be64(ptr);
@@ -299,6 +300,7 @@ void mptcp_get_options(const struct sk_buff *skb,
mp_opt->port = 0;
mp_opt->rm_addr = 0;
mp_opt->dss = 0;
+ mp_opt->suboptions = 0;
length = (th->doff * 4) - sizeof(struct tcphdr);
ptr = (const unsigned char *)(th + 1);
diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h
index 3e5af83..9f8fb7b 100644
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -107,6 +107,7 @@ struct mptcp_options_received {
family : 4,
echo : 1,
backup : 1;
+ u16 suboptions;
u32 token;
u32 nonce;
u64 thmac;
diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
index 9d2e73d..1b73230 100644
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -323,7 +323,7 @@ static void subflow_finish_connect(struct sock *sk, const struct sk_buff *skb)
} else if (subflow->request_join) {
u8 hmac[SHA256_DIGEST_SIZE];
- if (!mp_opt.mp_join)
+ if (!(mp_opt.suboptions & OPTION_MPTCP_MPJ_SYNACK))
goto do_reset;
subflow->thmac = mp_opt.thmac;
@@ -542,6 +542,7 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk,
* are not parsed
*/
mp_opt.mp_capable = 0;
+ mp_opt.suboptions = 0;
/* hopefully temporary handling for MP_JOIN+syncookie */
subflow_req = mptcp_subflow_rsk(req);
