On Wed, Mar 30, 2016 at 10:44:14PM +0200, Vincent Gross wrote:
> This diff moves the "are we binding to a privileged port while not being root
> ?"
> check from in(6)_pcbaddrisavail() to in_pcbbind().
> --- sys/netinet/in_pcb.c 26 Mar 2016 21:56:04 -0000 1.198
> +++ sys/netinet/in_pcb.c 30 Mar 2016 20:33:00 -0000
> @@ -341,9 +341,14 @@ in_pcbbind(struct inpcb *inp, struct mbu
> }
> }
>
> - if (lport == 0)
> + if (lport == 0) {
> if ((error = in_pcbpickport(&lport, wild, inp, p)))
> return (error);
> + } else {
> + if (ntohs(lport) < IPPORT_RESERVED &&
> + (error = suser(p, 0)))
> + return (EACCES);
> + }
> inp->inp_lport = lport;
At this point inp has already been modified. So when we bail out
with EACCES here, we have a partially successful system call.
Move the assignments
inp->inp_laddr6 = sin6->sin6_addr;
inp->inp_laddr = sin->sin_addr;
down after the return (EACCES).
Looks like that return (error) was wrong before.
bluhm
