Re: [PATCH net 1/3] mptcp: Fix data stream corruption in the address announcement

[Simon Horman]

On Fri, Mar 14, 2025 at 09:11:31PM +0100, Matthieu Baerts (NGI0) wrote:
> From: Arthur Mongodin <amongodin@xxxxxxxxxxxxx>
> 
> Because of the size restriction in the TCP options space, the MPTCP
> ADD_ADDR option is exclusive and cannot be sent with other MPTCP ones.
> For this reason, in the linked mptcp_out_options structure, group of
> fields linked to different options are part of the same union.
> 
> There is a case where the mptcp_pm_add_addr_signal() function can modify
> opts->addr, but not ended up sending an ADD_ADDR. Later on, back in
> mptcp_established_options, other options will be sent, but with
> unexpected data written in other fields due to the union, e.g. in
> opts->ext_copy. This could lead to a data stream corruption in the next
> packet.
> 
> Using an intermediate variable, prevents from corrupting previously
> established DSS option. The assignment of the ADD_ADDR option
> parameters is now done once we are sure this ADD_ADDR option can be set
> in the packet, e.g. after having dropped other suboptions.
> 
> Fixes: 1bff1e43a30e ("mptcp: optimize out option generation")
> Cc: stable@xxxxxxxxxxxxxxx
> Suggested-by: Paolo Abeni <pabeni@xxxxxxxxxx>
> Signed-off-by: Arthur Mongodin <amongodin@xxxxxxxxxxxxx>
> Reviewed-by: Matthieu Baerts (NGI0) <matttbe@xxxxxxxxxx>
> [ Matt: the commit message has been updated: long lines splits and some
>   clarifications. ]
> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@xxxxxxxxxx>

Reviewed-by: Simon Horman <horms@xxxxxxxxxx>