Page MenuHomeFreeBSD

inpcb: Further restrict binding to a port owned by a different UID
ClosedPublic

Authored by markj on Dec 2 2024, 6:48 PM.
Tags
None
Referenced Files
F106901388: D47870.diff
Tue, Jan 7, 4:40 AM
Unknown Object (File)
Sun, Jan 5, 11:23 AM
Unknown Object (File)
Sat, Dec 28, 8:38 AM
Unknown Object (File)
Fri, Dec 27, 12:59 PM
Unknown Object (File)
Fri, Dec 27, 11:22 AM
Unknown Object (File)
Fri, Dec 27, 8:46 AM
Unknown Object (File)
Mon, Dec 23, 6:55 PM
Unknown Object (File)
Thu, Dec 12, 6:49 PM

Details

Summary

See D47832 for some more background.

I cannot see a good reason to continue ignoring mismatching UIDs when
binding to INADDR_ANY. Looking at the sdr.V2.4a7n sources (mentioned in
bugzilla PR 7713), there is a CANT_MCAST_BIND hack wherein the
application binds to INADDR_ANY instead of a multicast address, but
CANT_MCAST_BIND isn't defined for FreeBSD builds, and these sources date
from the 90s.

It seems unlikely that we still have a usecase for allowing sockets from
different UIDs to bind to the same port. And, as noted in D47832,
applications like sdr would have been broken by the inverted
SO_REUSEPORT check removed in that revision. Let's break compatibility
and simply disallow this case outright.

Sponsored by: Klara, Inc.
Sponsored by: Stormshield

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 60919
Build 57803: arc lint + arc unit

Event Timeline

markj requested review of this revision.Dec 2 2024, 6:48 PM

Do you have any idea on the inp->inp_socket->so_type != SOCK_STREAM check?

Do you have any idea on the inp->inp_socket->so_type != SOCK_STREAM check?

That check comes from commit 4658dc8325e03. The idea seems to be, it's okay to bind to a port that corresponds to a connected TCP socket, even if the socket is owned by a different user, so long as the 4-tuple is unique. I think this makes sense. It deserves a comment and probably a regression test, I'll work on that.

Add a comment explaining remaining checks, add a regression test
for port stealing from a connected socket.

Do you have any idea on the inp->inp_socket->so_type != SOCK_STREAM check?

Perhaps the check would be clearer if we checked inp->inp_socket->so_proto->pr_flags & PR_CONNREQUIRED instead.

This revision was not accepted when it landed; it landed in state Needs Review.Mon, Dec 23, 3:41 PM
This revision was automatically updated to reflect the committed changes.