On Mon, 15 Feb 2021, Geliang Tang wrote:
Fix the length of RM_ADDR suboption in mptcp_pm_rm_addr_signal.
Signed-off-by: Geliang Tang <geliangtang(a)gmail.com>
---
net/mptcp/pm.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/net/mptcp/pm.c b/net/mptcp/pm.c
index 32f203f186a2..8e97f90cbdec 100644
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -260,7 +260,7 @@ bool mptcp_pm_add_addr_signal(struct mptcp_sock *msk, unsigned int
remaining,
bool mptcp_pm_rm_addr_signal(struct mptcp_sock *msk, unsigned int remaining,
struct mptcp_rm_list *rm_list)
{
- int ret = false;
+ int ret = false, len;
spin_lock_bh(&msk->pm.lock);
@@ -268,7 +268,10 @@ bool mptcp_pm_rm_addr_signal(struct mptcp_sock *msk, unsigned int
remaining,
if (!mptcp_pm_should_rm_signal(msk))
goto out_unlock;
- if (remaining < TCPOLEN_MPTCP_RM_ADDR_BASE)
Thanks for catching that.
+ len = mptcp_rm_addr_len(msk->pm.rm_list_tx);
+ if (len < 0)
+ goto out_unlock;
Should this also clear msk->pm.addr_signal in this error case? Otherwise
the bad rm_list will be stuck forever. We shouldn't really run in to this
error path since it's our code setting rm_list_tx.
+ if (remaining < len)
goto out_unlock;
*rm_list = msk->pm.rm_list_tx;
--
2.29.2
--
Mat Martineau
Intel