The assertions added in commit b0ccf53f2455 ("inpcb: Assert against
wildcard addrs in in_pcblookup_hash_locked()") turned up some
interesting bugs.
In IPv4, it is possible to have a route from address 0.0.0.0; I believe
this is mostly used for DHCP wherein UDP packets are sent with src
address 0.0.0.0. For example, dhclient temporarily assigns this address
to an interface when soliciting leases.
There is nothing preventing 0.0.0.0 from being selected as a src address
by in_pcbladdr(), however. I believe that we should prohibit this,
hence, modify in(6)_pcbladdr() to return EHOSTUNREACH instead of an
unspecified address. I believe this already cannot happen for IPv6,
which is more strict about this, but I'm not certain.
Also ensure that protocols reject unspecified addresses. ip6_input()
already prohibits an unspecified destination address, do the same in
ip_input() per RFC 1122. Also make TCP reject unspecified source
addresses. I'm not quite sure what to do about UDP yet since
udp_input() may legitimately receive packets with an unspecified src
address.
Reported by: syzkaller
Sponsored by: Klara, Inc.
Sponsored by: Modirum MDPay