mptcp: more strict state checking for acks

Syzkaller found a way to trigger division by zero in mptcp_subflow_cleanup_rbuf(). The current checks implemented into tcp_can_send_ack() are too week, let's be more accurate. Reported-by: Christoph Paasch <[email protected]> Fixes: ea4ca58 ("mptcp: refine MPTCP-level ack scheduling") Fixes: fd89767 ("mptcp: be careful on MPTCP-level ack.") Signed-off-by: Paolo Abeni <[email protected]> Reviewed-by: Mat Martineau <[email protected]> Signed-off-by: Jakub Kicinski <[email protected]>
sirdarckcat · Jan 13, 2021 · 20bc80b · 20bc80b
1 parent ece9ab2
commit 20bc80b
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
@@ -427,7 +427,7 @@ static bool mptcp_subflow_active(struct mptcp_subflow_context *subflow)
 static bool tcp_can_send_ack(const struct sock *ssk)
 {
 	return !((1 << inet_sk_state_load(ssk)) &
-	       (TCPF_SYN_SENT | TCPF_SYN_RECV | TCPF_TIME_WAIT | TCPF_CLOSE));
+	       (TCPF_SYN_SENT | TCPF_SYN_RECV | TCPF_TIME_WAIT | TCPF_CLOSE | TCPF_LISTEN));
 }
 
 static void mptcp_send_ack(struct mptcp_sock *msk)