After finding a jailed match, we need to verify that the local IP
address belongs to the match's jail, if any. Otherwise it becomes
possible for jailed process to accept connections on IPs not belonging
to the jail. This can specifically happen for multi-IP classic jails.
In single-IP classic jails, the local address of a listening socket is
always rewritten to be that of the jail.
Details
Details
- Reviewers
peter glebius bz - Group Reviewers
network - Commits
- rGa306ed50ecd5: inpcb: Restore missing validation of local addresses for jailed sockets
I did some manual testing, and wrote some regression test cases which
would have uncovered the bugs: https://reviews.freebsd.org/D40269
Diff Detail
Diff Detail
- Repository
- rG FreeBSD src repository
- Lint
Lint Not Applicable - Unit
Tests Not Applicable
Event Timeline
Comment Actions
Jailed sockets with a wildcard local address should have lower priority than non-jailed sockets with a wildcard local address.
Should they? I honestly cannot remember if they should given I haven't really done that in a decade or so given almost all my jailed services get dedicated IPv6 addresses. But I seem to remember that if you tried to ssh to a jail with "overlapping" addresses to the host, you didn't want to accidentally end up on the host (that was the general example used back then).
Comment Actions
Thanks, I believe you're right. The problem is limited to the missing checks in in/in6_pcblookup_hash_wild_smr().