inpcb: Ignore SO_REUSEPORT_LB on connected sockets
While TCP disallows connect()ing a socket with SO_REUSEPORT_LB, UDP does not. As a result, a connected UDP socket can be placed in the lbgroup hash and thus receive datagrams from sources other than the connected host. Reported by: Amit Klein <amit.klein@mail.huji.ac.il> Reported by: Omer Ben Simhon <omer.bensimhon@mail.huji.ac.il> Reviewed by: glebius Approved by: so Security: FreeBSD-SA-25:09.netinet Security: CVE-2025-24934
This commit is contained in:
+10
-3
@@ -2665,10 +2665,13 @@ in_pcbinshash(struct inpcb *inp)
|
||||
INP_PCBPORTHASH(inp->inp_lport, pcbinfo->ipi_porthashmask)];
|
||||
|
||||
/*
|
||||
* Add entry to load balance group.
|
||||
* Only do this if SO_REUSEPORT_LB is set.
|
||||
* Ignore SO_REUSEPORT_LB if the socket is connected. Really this case
|
||||
* should be an error, but for UDP sockets it is not, and some
|
||||
* applications erroneously set it on connected UDP sockets, so we can't
|
||||
* change this without breaking compatibility.
|
||||
*/
|
||||
if ((inp->inp_socket->so_options & SO_REUSEPORT_LB) != 0) {
|
||||
if (!connected &&
|
||||
(inp->inp_socket->so_options & SO_REUSEPORT_LB) != 0) {
|
||||
int error = in_pcbinslbgrouphash(inp, M_NODOM);
|
||||
if (error != 0)
|
||||
return (error);
|
||||
@@ -2770,6 +2773,10 @@ in_pcbrehash(struct inpcb *inp)
|
||||
connected = !in_nullhost(inp->inp_faddr);
|
||||
}
|
||||
|
||||
/* See the comment in in_pcbinshash(). */
|
||||
if (connected && (inp->inp_flags & INP_INLBGROUP) != 0)
|
||||
in_pcbremlbgrouphash(inp);
|
||||
|
||||
/*
|
||||
* When rehashing, the caller must ensure that either the new or the old
|
||||
* foreign address was unspecified.
|
||||
|
||||
Reference in New Issue
Block a user