From 2cf21ae5591afbc75654a67e5452adca7137e263 Mon Sep 17 00:00:00 2001 From: Randall Stewart Date: Wed, 3 Jun 2020 14:16:40 +0000 Subject: [PATCH] We should never allow either the broadcast or IN_ADDR_ANY to be connected to or sent to. This was fond when working with Michael Tuexen and Skyzaller. Skyzaller seems to want to use either of these two addresses to connect to at times. And it really is an error to do so, so lets not allow that behavior. Sponsored by: Netflix Inc. Differential Revision: https://reviews.freebsd.org/D24852 --- sys/netinet/tcp_usrreq.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c index a30c1bb40c0..a82579d4e29 100644 --- a/sys/netinet/tcp_usrreq.c +++ b/sys/netinet/tcp_usrreq.c @@ -552,6 +552,10 @@ tcp_usr_connect(struct socket *so, struct sockaddr *nam, struct thread *td) if (sinp->sin_family == AF_INET && IN_MULTICAST(ntohl(sinp->sin_addr.s_addr))) return (EAFNOSUPPORT); + if ((sinp->sin_family == AF_INET) && + ((ntohl(sinp->sin_addr.s_addr) == INADDR_BROADCAST) || + (sinp->sin_addr.s_addr == INADDR_ANY))) + return(EAFNOSUPPORT); if ((error = prison_remote_ip4(td->td_ucred, &sinp->sin_addr)) != 0) return (error); @@ -652,6 +656,11 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *nam, struct thread *td) error = EAFNOSUPPORT; goto out; } + if ((ntohl(sin.sin_addr.s_addr) == INADDR_BROADCAST) || + (sin.sin_addr.s_addr == INADDR_ANY)) { + error = EAFNOSUPPORT; + goto out; + } if ((error = prison_remote_ip4(td->td_ucred, &sin.sin_addr)) != 0) goto out; @@ -1024,6 +1033,13 @@ tcp_usr_send(struct socket *so, int flags, struct mbuf *m, error = EAFNOSUPPORT; goto out; } + if ((ntohl(sinp->sin_addr.s_addr) == INADDR_BROADCAST) || + (sinp->sin_addr.s_addr == INADDR_ANY)) { + if (m) + m_freem(m); + error = EAFNOSUPPORT; + goto out; + } if ((error = prison_remote_ip4(td->td_ucred, &sinp->sin_addr))) { if (m)