Date: Mon, 25 Mar 2002 20:36:50 -0800 (PST) From: Lamont Granquist <lamont@scriptkiddie.org> To: <freebsd-stable@freebsd.org>, <freebsd-hackers@freebsd.org> Subject: UDP jail bug patch (was Re: (PATCH) Re: jail bug with ircd-hybrid in_pcbconnect()?) Message-ID: <20020325202752.P5308-100000@coredump.scriptkiddie.org>
next in thread | raw e-mail | index | archive | help
I previously posted a patch to fix this UDP-in-jail bug which I believe
may have compromised the security of the jail. This patch shouldn't do
that.
It:
1. preserves the jail check in in_pcbconnect()
2. preserves the laddr+lport check in the beginning of in_pcbbind()
3. modifies no code outside of the jail path
4. only diddles with the PCB laddr which shouldn't have any side effects
because that is exactly what udp_output() is doing to cause the
problem in the first place
Arguably the real fix should be to fix the hash table and the bogosity in
udp_output(), but I don't have the time to commit to that.
--- in_pcb.c.old Mon Mar 18 23:57:57 2002
+++ in_pcb.c Tue Mar 19 09:52:45 2002
@@ -501,6 +501,8 @@
int error;
if (inp->inp_laddr.s_addr == INADDR_ANY && p->p_prison != NULL) {
+ if (inp->inp_lport != 0)
+ inp->inp_laddr.s_addr = htonl(p->p_prison->pr_ip);
bzero(&sa, sizeof (sa));
sa.sin_addr.s_addr = htonl(p->p_prison->pr_ip);
sa.sin_len=sizeof (sa);
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020325202752.P5308-100000>