inpcb: Restore missing validation of local addresses for jailed sockets

When looking up a listening socket, the SMR-protected lookup routine may
return a jailed socket with no local address.  This happens when using
classic jails with more than one IP address; in a single-IP classic
jail, a bound socket's local address is always rewritten to be that of
the jail.

After commit 7b92493ab1, the lookup path failed to check whether the
jail corresponding to a matched wildcard socket actually owns the
address, and would return the match regardless.  Restore the omitted
checks.

Fixes:		7b92493ab1 ("inpcb: Avoid inp_cred dereferences in SMR-protected lookup")
Reported by:	peter
Reviewed by:	bz
Differential Revision:	https://reviews.freebsd.org/D40268

sys/netinet/in_pcb.c

@@ -2254,8 +2254,10 @@ in_pcblookup_hash_wild_smr(struct inpcbinfo *pcbinfo, struct in_addr faddr,
 			continue;
 
 		if (__predict_true(inp_smr_lock(inp, lockflags))) {
-			if (__predict_true(in_pcblookup_wild_match(inp, laddr,
-			    lport) != INPLOOKUP_MATCH_NONE))
+			match = in_pcblookup_wild_match(inp, laddr, lport);
+			if (match != INPLOOKUP_MATCH_NONE &&
+			    prison_check_ip4_locked(inp->inp_cred->cr_prison,
+			    &laddr) == 0)
 				return (inp);
 			inp_unlock(inp, lockflags);
 		}

sys/netinet6/in6_pcb.c

@@ -1021,8 +1021,10 @@ in6_pcblookup_hash_wild_smr(struct inpcbinfo *pcbinfo,
 			continue;
 
 		if (__predict_true(inp_smr_lock(inp, lockflags))) {
-			if (__predict_true(in6_pcblookup_wild_match(inp, laddr,
-			    lport) != INPLOOKUP_MATCH_NONE))
+			match = in6_pcblookup_wild_match(inp, laddr, lport);
+			if (match != INPLOOKUP_MATCH_NONE &&
+			    prison_check_ip6_locked(inp->inp_cred->cr_prison,
+			    laddr) == 0)
 				return (inp);
 			inp_unlock(inp, lockflags);
 		}