Patch "mptcp: strict validation before using mp_opt->hmac" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 22 Jan 2024 18:25:12 -0500

This is a note to let you know that I've just added the patch titled

    mptcp: strict validation before using mp_opt->hmac

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     mptcp-strict-validation-before-using-mp_opt-hmac.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 25885a0904ce38e632fd319f709cdacd5ae4c043
Author: Eric Dumazet <edumazet@xxxxxxxxxx>
Date:   Thu Jan 11 19:49:14 2024 +0000

    mptcp: strict validation before using mp_opt->hmac
    
    [ Upstream commit c1665273bdc7c201766c65e561c06711f2e050dc ]
    
    mp_opt->hmac contains uninitialized data unless OPTION_MPTCP_MPJ_ACK
    was set in mptcp_parse_option().
    
    We must refine the condition before we call subflow_hmac_valid().
    
    Fixes: f296234c98a8 ("mptcp: Add handling of incoming MP_JOIN requests")
    Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>
    Cc: Florian Westphal <fw@xxxxxxxxx>
    Cc: Peter Krystad <peter.krystad@xxxxxxxxxxxxxxx>
    Cc: Matthieu Baerts <matttbe@xxxxxxxxxx>
    Cc: Mat Martineau <martineau@xxxxxxxxxx>
    Cc: Geliang Tang <geliang.tang@xxxxxxxxx>
    Reviewed-by: Simon Horman <horms@xxxxxxxxxx>
    Acked-by: Paolo Abeni <pabeni@xxxxxxxxxx>
    Reviewed-by: Mat Martineau <martineau@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20240111194917.4044654-3-edumazet@xxxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
index a1349c6eda46..c2c30724b322 100644
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -698,7 +698,7 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk,
 			fallback = true;
 	} else if (subflow_req->mp_join) {
 		mptcp_get_options(skb, &mp_opt);
-		if (!(mp_opt.suboptions & OPTIONS_MPTCP_MPJ) ||
+		if (!(mp_opt.suboptions & OPTION_MPTCP_MPJ_ACK) ||
 		    !subflow_hmac_valid(req, &mp_opt) ||
 		    !mptcp_can_accept_new_subflow(subflow_req->msk)) {
 			SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC);







