When a classicAfter finding a jail has a single IPed match, any attempt to bind a jailed socket
to an unspecified address automatically has the address rewritten to
that of the jail. Commit 7b92493ab1d4 didn't handle the case of
multi-IP classic jailswe need to verify that the local IP
address belongs to the match's jail, where this rewrite doesn't happen.
Fix two problems with the matching logic:
- Jailed sockets with a wildcard local address should have lower
if any. priority than non-jailed sockets with a wildcard local address.
- When a lookup matches a wildcard jailed socket, verify that the jail
actually owns the destination IPOtherwise it becomes
possible for jailed process to accept connections on IPs not belonging
to the jail. Otherwise a multi-IP-jailed socket
can steal connections intended for the host.
Fixes: 7b92493ab1d4 ("inpcb: Avoid inp_cred dereferences in SMR-protected lookup")
Reported by: peterThis can specifically happen for multi-IP classic jails.
In single-IP classic jails, the local address of a listening socket is
always rewritten to be that of the jail.