Author: bz
Date: Tue Sep 28 19:17:39 2010
New Revision: 213249
URL: http://svn.freebsd.org/changeset/base/213249
Log:
r201663 introduced a bug in stable/6 that prison_ip() might change the
passed address argument, while we are only interested in whether it is a
valid address of the jail.
This can modify an address in the live interface address list with an
address of the jail. Make a copy of the address for the call to
prison_ip() to avoid this.
Reported by: Andreas Longwitz (longwitz incore.de)
Tested by: Andreas Longwitz (longwitz incore.de)
PR: kern/114325
Modified:
stable/6/sys/netinet/in.c
Modified: stable/6/sys/netinet/in.c
==============================================================================
--- stable/6/sys/netinet/in.c Tue Sep 28 15:33:30 2010 (r213248)
+++ stable/6/sys/netinet/in.c Tue Sep 28 19:17:39 2010 (r213249)
@@ -252,12 +252,15 @@ in_control(so, cmd, data, ifp, td)
* the first one on the interface, if possible.
*/
if (ifp) {
+ struct in_addr tmp;
+
dst = ((struct sockaddr_in *)&ifr->ifr_addr)->sin_addr;
LIST_FOREACH(iap, INADDR_HASH(dst.s_addr), ia_hash)
if (iap->ia_ifp == ifp &&
iap->ia_addr.sin_addr.s_addr == dst.s_addr) {
+ tmp.s_addr = dst.s_addr;
if (td == NULL || !prison_ip(
- td->td_ucred, 0, &dst.s_addr))
+ td->td_ucred, 0, &tmp.s_addr))
ia = iap;
break;
}
@@ -265,9 +268,11 @@ in_control(so, cmd, data, ifp, td)
TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
iap = ifatoia(ifa);
if (iap->ia_addr.sin_family == AF_INET) {
+ tmp.s_addr =
+ iap->ia_addr.sin_addr.s_addr;
if (td != NULL &&
prison_ip(td->td_ucred, 0,
- &iap->ia_addr.sin_addr.s_addr))
+ &tmp.s_addr))
continue;
ia = iap;
break;
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
