Date: Wed, 21 Aug 2024 00:59:18 +0000 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Mark Johnston <markj@freebsd.org> Cc: src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: 417b35a97b76 - main - netinet: Add a sysctl to allow disabling connections to INADDR_ANY Message-ID: <ptpd2qzpxjewv7xyrucp74smgs4ou7pagatgv5wzp2tgsl4p4b@yrmgsluejrza> In-Reply-To: <202408202134.47KLYdPH055386@gitrepo.freebsd.org> References: <202408202134.47KLYdPH055386@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--7cczi3fmhkdqbt5t Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hey Mark, When I set the net.inet.ip.connect_inaddr_wild sysctl node to 0 and try running `nc -vv 0.0.0.0 22` (this VM has sshd enabled), the below-linked KASSERT fires: https://cgit.freebsd.org/src/tree/sys/netinet/in_pcb.c#n2304 No KASSERT is tripped on the IPv6 code path--that works fine. Only IPv4 is impacted. Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc On Tue, Aug 20, 2024 at 09:34:39PM UTC, Mark Johnston wrote: > The branch main has been updated by markj: >=20 > URL: https://cgit.FreeBSD.org/src/commit/?id=3D417b35a97b7669eb0bf417b43e= 97cccbedbce6f9 >=20 > commit 417b35a97b7669eb0bf417b43e97cccbedbce6f9 > Author: Mark Johnston <markj@FreeBSD.org> > AuthorDate: 2024-08-20 21:31:57 +0000 > Commit: Mark Johnston <markj@FreeBSD.org> > CommitDate: 2024-08-20 21:31:57 +0000 >=20 > netinet: Add a sysctl to allow disabling connections to INADDR_ANY > =20 > See the discussion in Bugzilla PR 280705 for context. > =20 > PR: 280705 > MFC after: 1 week > Differential Revision: https://reviews.freebsd.org/D46259 > --- > sys/netinet/in_pcb.c | 8 +++++++- > sys/netinet6/in6_pcb.c | 12 +++++++++++- > 2 files changed, 18 insertions(+), 2 deletions(-) >=20 > diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c > index 1a341d421f31..3fc90f1e12c2 100644 > --- a/sys/netinet/in_pcb.c > +++ b/sys/netinet/in_pcb.c > @@ -234,6 +234,12 @@ in_pcbhashseed_init(void) > VNET_SYSINIT(in_pcbhashseed_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, > in_pcbhashseed_init, 0); > =20 > +VNET_DEFINE_STATIC(int, connect_inaddr_wild) =3D 1; > +#define V_connect_inaddr_wild VNET(connect_inaddr_wild) > +SYSCTL_INT(_net_inet_ip, OID_AUTO, connect_inaddr_wild, > + CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(connect_inaddr_wild), 0, > + "Allow connecting to INADDR_ANY or INADDR_BROADCAST for connect(2)"); > + > static void in_pcbremhash(struct inpcb *); > =20 > /* > @@ -1309,7 +1315,7 @@ in_pcbconnect_setup(struct inpcb *inp, struct socka= ddr_in *sin, > inp->inp_flowtype =3D hash_type; > } > #endif > - if (!CK_STAILQ_EMPTY(&V_in_ifaddrhead)) { > + if (V_connect_inaddr_wild && !CK_STAILQ_EMPTY(&V_in_ifaddrhead)) { > /* > * If the destination address is INADDR_ANY, > * use the primary local address. > diff --git a/sys/netinet6/in6_pcb.c b/sys/netinet6/in6_pcb.c > index e6ec0f24c898..098b4e50483c 100644 > --- a/sys/netinet6/in6_pcb.c > +++ b/sys/netinet6/in6_pcb.c > @@ -83,6 +83,7 @@ > #include <sys/socket.h> > #include <sys/socketvar.h> > #include <sys/sockio.h> > +#include <sys/sysctl.h> > #include <sys/errno.h> > #include <sys/time.h> > #include <sys/priv.h> > @@ -97,6 +98,7 @@ > #include <net/if_types.h> > #include <net/route.h> > #include <net/route/nhop.h> > +#include <net/vnet.h> > =20 > #include <netinet/in.h> > #include <netinet/in_var.h> > @@ -112,6 +114,14 @@ > #include <netinet6/in6_fib.h> > #include <netinet6/scope6_var.h> > =20 > +SYSCTL_DECL(_net_inet6); > +SYSCTL_DECL(_net_inet6_ip6); > +VNET_DEFINE_STATIC(int, connect_in6addr_wild) =3D 1; > +#define V_connect_in6addr_wild VNET(connect_in6addr_wild) > +SYSCTL_INT(_net_inet6_ip6, OID_AUTO, connect_in6addr_wild, > + CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(connect_in6addr_wild), 0, > + "Allow connecting to the unspecified address for connect(2)"); > + > int > in6_pcbsetport(struct in6_addr *laddr, struct inpcb *inp, struct ucred *= cred) > { > @@ -351,7 +361,7 @@ in6_pcbladdr(struct inpcb *inp, struct sockaddr_in6 *= sin6, > if ((error =3D sa6_embedscope(sin6, V_ip6_use_defzone)) !=3D 0) > return(error); > =20 > - if (!CK_STAILQ_EMPTY(&V_in6_ifaddrhead)) { > + if (V_connect_in6addr_wild && !CK_STAILQ_EMPTY(&V_in6_ifaddrhead)) { > /* > * If the destination address is UNSPECIFIED addr, > * use the loopback addr, e.g ::1. >=20 --7cczi3fmhkdqbt5t Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmbFO+AACgkQ/y5nonf4 4fqemBAAjf67rFwLzeO9c4TVt+tKSJvOwnQuQGu+dsCzVHiEpx0UlLCU7aH867Uo 7rUQvnq5ZXP9JBb53xk9M4g4Qv/jAky0waM4nWy6XvI9dohGVRQY/dB+6L0d+A/1 QcMcJsxs3VV0NTQ2vKPayB1YYtsM0uX4OwfTDx1mKHkVIucq84n5nCeHWWLcvoUh e7TF038IFvgfI/FdMGsBuLiv5gAxE0fTMftMB6ss/3wAlEKrTHNfR9K8CJTlkZig FPRe19byPYPutMjReMYTqkaEpgs37UB+iuVDCJRIaNmlzheHHVZIUePXgZHlh6r9 PsBdan/BlipbyDHtqWR2gtVH1a8XvdAUJZF5iIhPSRu6Tg0/mTn1iyWKQKsdElv3 /WW+YnlUnCP48ea4K83CTYS0ip7f0mQTX8G5dCcAhO99WixLZzok8HQNGs+/+Lik Jd491rqLzntkp1EQPjh+56kOdYxNthXbVLGAbGjPYRFKmHVRrpEpWllSvUjcdHdW xdzbB7yXkCR92c3fJcKkf4SeFqhsArFRU+FTuhrkZqawrQ8g6aS914tghJXQtMKP ftIRo/cb4fLrmopWGBzh/r3qGwiOoiWOuMjJULDTjvViaKUN0NnAsPE7OQhVTlqe 9yjJcHqni9GnnZ9yyHlAhGfu+OCo3nupc27Ki2nY8BBx991V0kE= =kGZs -----END PGP SIGNATURE----- --7cczi3fmhkdqbt5t--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ptpd2qzpxjewv7xyrucp74smgs4ou7pagatgv5wzp2tgsl4p4b>