From fd6aaf7fe1f443068ed1d8a87bb2fa87fc764e8a Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Fri, 3 Aug 2001 18:21:06 +0000 Subject: [PATCH] Anton kindly pointed out (and fixed) a bug in the Jail handling of the bind() call on IPv4 sockets: Currently, if one tries to bind a socket using INADDR_LOOPBACK inside a jail, it will fail because prison_ip() does not take this possibility into account. On the other hand, when one tries to connect(), for example, to localhost, prison_remote_ip() will silently convert INADDR_LOOPBACK to the jail's IP address. Therefore, it is desirable to make bind() to do this implicit conversion as well. Apart from this, the patch also replaces 0x7f000001 in prison_remote_ip() to a more correct INADDR_LOOPBACK. This is a 4.4-RELEASE "during the freeze, thanks" MFC candidate. Submitted by: Anton Berezin Discussed with at some point: phk MFC after: 3 days --- sys/kern/kern_jail.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index c417667a09f..b80d2f1eb13 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -123,6 +123,13 @@ prison_ip(struct ucred *cred, int flag, u_int32_t *ip) *ip = htonl(cred->cr_prison->pr_ip); return (0); } + if (tmp == INADDR_LOOPBACK) { + if (flag) + *ip = cred->cr_prison->pr_ip; + else + *ip = htonl(cred->cr_prison->pr_ip); + return (0); + } if (cred->cr_prison->pr_ip != tmp) return (1); return (0); @@ -139,7 +146,7 @@ prison_remote_ip(struct ucred *cred, int flag, u_int32_t *ip) tmp = *ip; else tmp = ntohl(*ip); - if (tmp == 0x7f000001) { + if (tmp == INADDR_LOOPBACK) { if (flag) *ip = cred->cr_prison->pr_ip; else