mptcp: Fully disable MD5SIG

We need to make sure the TCP-MD5SIG is not being used in combination with MPTCP. It's already checked in mptcp_doit(), but we need to make sure that one is not setting it after connect and/or doing other tricks with the socket-options. syzbot found a plethora of issues when combining MPTCP with MD5SIG. A combination that anyways does not work because there is no TCP-option space. Fixes: Zero-day Bug Signed-off-by: Christoph Paasch <[email protected]> Signed-off-by: Matthieu Baerts <[email protected]>
multipath-tcp · Mar 8, 2019 · cf55e69 · cf55e69
1 parent e75f410
commit cf55e69
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
@@ -3129,7 +3129,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
 #ifdef CONFIG_TCP_MD5SIG
 	case TCP_MD5SIG:
 	case TCP_MD5SIG_EXT:
-		if ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))
+		if ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN) && !sock_flag(sk, SOCK_MPTCP))
 			err = tp->af_specific->md5_parse(sk, optname, optval, optlen);
 		else
 			err = -EINVAL;
@@ -3191,7 +3191,11 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
 #ifdef CONFIG_MPTCP
 	case MPTCP_ENABLED:
 		if (mptcp_init_failed || !sysctl_mptcp_enabled ||
-		    sk->sk_state != TCP_CLOSE) {
+		    sk->sk_state != TCP_CLOSE
+#ifdef CONFIG_TCP_MD5SIG
+		    || tp->md5sig_info
+#endif
+								) {
 			err = -EPERM;
 			break;
 		}