net/tls: Only attach to sockets in ESTABLISHED state

Calling accept on a TCP socket with a TLS ulp attached results in two sockets that share the same ulp context. The ulp context is freed while a socket is destroyed, so after one of the sockets is released, the second second will trigger a use after free when it tries to access the ulp context attached to it. We restrict the TLS ulp to sockets in ESTABLISHED state to prevent the scenario above. Fixes: 3c4d755 ("tls: kernel TLS support") Reported-by: [email protected] Signed-off-by: Ilya Lesokhin <[email protected]> Signed-off-by: David S. Miller <[email protected]>
siemens · Jan 17, 2018 · d91c3e1 · d91c3e1
1 parent f8b3903
commit d91c3e1
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
@@ -454,6 +454,15 @@ static int tls_init(struct sock *sk)
 	struct tls_context *ctx;
 	int rc = 0;
 
+	/* The TLS ulp is currently supported only for TCP sockets
+	 * in ESTABLISHED state.
+	 * Supporting sockets in LISTEN state will require us
+	 * to modify the accept implementation to clone rather then
+	 * share the ulp context.
+	 */
+	if (sk->sk_state != TCP_ESTABLISHED)
+		return -ENOTSUPP;
+
 	/* allocate tls context */
 	ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
 	if (!ctx) {