From owner-freebsd-stable Mon Mar 25 20:36:18 2002 Delivered-To: freebsd-stable@freebsd.org Received: from warez.scriptkiddie.org (uswest-dsl-142-38.cortland.com [209.162.142.38]) by hub.freebsd.org (Postfix) with ESMTP id CD89837B416; Mon, 25 Mar 2002 20:36:13 -0800 (PST) Received: from [192.168.69.11] (unknown [192.168.69.11]) by warez.scriptkiddie.org (Postfix) with ESMTP id 7570462D1A; Mon, 25 Mar 2002 20:36:12 -0800 (PST) Date: Mon, 25 Mar 2002 20:36:50 -0800 (PST) From: Lamont Granquist To: , Subject: UDP jail bug patch (was Re: (PATCH) Re: jail bug with ircd-hybrid in_pcbconnect()?) Message-ID: <20020325202752.P5308-100000@coredump.scriptkiddie.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I previously posted a patch to fix this UDP-in-jail bug which I believe may have compromised the security of the jail. This patch shouldn't do that. It: 1. preserves the jail check in in_pcbconnect() 2. preserves the laddr+lport check in the beginning of in_pcbbind() 3. modifies no code outside of the jail path 4. only diddles with the PCB laddr which shouldn't have any side effects because that is exactly what udp_output() is doing to cause the problem in the first place Arguably the real fix should be to fix the hash table and the bogosity in udp_output(), but I don't have the time to commit to that. --- in_pcb.c.old Mon Mar 18 23:57:57 2002 +++ in_pcb.c Tue Mar 19 09:52:45 2002 @@ -501,6 +501,8 @@ int error; if (inp->inp_laddr.s_addr == INADDR_ANY && p->p_prison != NULL) { + if (inp->inp_lport != 0) + inp->inp_laddr.s_addr = htonl(p->p_prison->pr_ip); bzero(&sa, sizeof (sa)); sa.sin_addr.s_addr = htonl(p->p_prison->pr_ip); sa.sin_len=sizeof (sa); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message