Commit 9238e900 authored by Geliang Tang's avatar Geliang Tang Committed by David S. Miller
Browse files

mptcp: free resources when the port number is mismatched 



When the port number is mismatched with the announced ones, use
'goto dispose_child' to free the resources instead of using 'goto out'.

This patch also moves the port number checking code in
subflow_syn_recv_sock before mptcp_finish_join, otherwise subflow_drop_ctx
will fail in dispose_child.

Fixes: 5bc56388 ("mptcp: add port number check for MP_JOIN")
Reported-by: default avatarPaolo Abeni <pabeni@redhat.com>
Signed-off-by: default avatarGeliang Tang <geliangtang@gmail.com>
Signed-off-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 417789df

net/mptcp/subflow.c

+7 −6
Original line number Diff line number Diff line
@@ -687,11 +687,6 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, 
			/* move the msk reference ownership to the subflow */

			subflow_req->msk = NULL;

			ctx->conn = (struct sock *)owner;

			if (!mptcp_finish_join(child))

				goto dispose_child;



			SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKRX);

			tcp_rsk(req)->drop_req = true;



			if (subflow_use_different_sport(owner, sk)) {

				pr_debug("ack inet_sport=%d %d",
@@ -699,10 +694,16 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, 
					 ntohs(inet_sk((struct sock *)owner)->inet_sport));

				if (!mptcp_pm_sport_in_anno_list(owner, sk)) {

					SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_MISMATCHPORTACKRX);

					goto out;

					goto dispose_child;

				}

				SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINPORTACKRX);

			}



			if (!mptcp_finish_join(child))

				goto dispose_child;



			SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKRX);

			tcp_rsk(req)->drop_req = true;

		}

	}