From cf55e69378e1d1369eded955aefd29dccf6ba48d Mon Sep 17 00:00:00 2001
From: Christoph Paasch <cpaasch@apple.com>
Date: Fri, 8 Mar 2019 08:11:26 -0800
Subject: [PATCH] mptcp: Fully disable MD5SIG

We need to make sure the TCP-MD5SIG is not being used in combination
with MPTCP. It's already checked in mptcp_doit(), but we need to make
sure that one is not setting it after connect and/or doing other tricks
with the socket-options.

syzbot found a plethora of issues when combining MPTCP with MD5SIG. A
combination that anyways does not work because there is no TCP-option
space.

Fixes: Zero-day Bug
Signed-off-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
---
 net/ipv4/tcp.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 02cdbf8caabbb..77fce73034206 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3129,7 +3129,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
 #ifdef CONFIG_TCP_MD5SIG
 	case TCP_MD5SIG:
 	case TCP_MD5SIG_EXT:
-		if ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))
+		if ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN) && !sock_flag(sk, SOCK_MPTCP))
 			err = tp->af_specific->md5_parse(sk, optname, optval, optlen);
 		else
 			err = -EINVAL;
@@ -3191,7 +3191,11 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
 #ifdef CONFIG_MPTCP
 	case MPTCP_ENABLED:
 		if (mptcp_init_failed || !sysctl_mptcp_enabled ||
-		    sk->sk_state != TCP_CLOSE) {
+		    sk->sk_state != TCP_CLOSE
+#ifdef CONFIG_TCP_MD5SIG
+		    || tp->md5sig_info
+#endif
+								) {
 			err = -EPERM;
 			break;
 		}