Linux Kernel MPTCP ADD_ADDR Reference Count Management Vulnerability

A vulnerability in the Linux kernel's Multipath TCP (MPTCP) implementation has been addressed. The issue involved improper management of socket reference counts when ADD_ADDR messages were retransmitted. Specifically, the socket was not always released correctly, leading to a potential reference count leak. This vulnerability affected the Linux kernel stable tree.

Impact

The vulnerability could have led to a reference count leak in the socket management, potentially causing memory management issues.

Reproduction

The vulnerability can be reproduced by retransmitting ADD_ADDR messages in the MPTCP implementation. During this process, the socket reference count is not properly managed, as certain checks incorrectly bypass the necessary function calls to decrease the reference count. This can be observed by monitoring the socket reference count before and after the retransmission of ADD_ADDR messages.

Remediation

Users can upgrade to the latest version of the Linux kernel stable tree, where this vulnerability has been fixed.