Anton kindly pointed out (and fixed) a bug in the Jail handling of the

bind() call on IPv4 sockets:

  Currently, if one tries to bind a socket using INADDR_LOOPBACK inside a
  jail, it will fail because prison_ip() does not take this possibility
  into account.  On the other hand, when one tries to connect(), for
  example, to localhost, prison_remote_ip() will silently convert
  INADDR_LOOPBACK to the jail's IP address.  Therefore, it is desirable to
  make bind() to do this implicit conversion as well.

  Apart from this, the patch also replaces 0x7f000001 in
  prison_remote_ip() to a more correct INADDR_LOOPBACK.

This is a 4.4-RELEASE "during the freeze, thanks" MFC candidate.

Submitted by:	Anton Berezin <tobez@FreeBSD.org>
Discussed with at some point:	phk
MFC after:	3 days

1 files changed, 8 insertions, 1 deletions

diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index c417667..b80d2f1 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -123,6 +123,13 @@ prison_ip(struct ucred *cred, int flag, u_int32_t *ip)
 			*ip = htonl(cred->cr_prison->pr_ip);
 		return (0);
 	}
+	if (tmp == INADDR_LOOPBACK) {
+		if (flag)
+			*ip = cred->cr_prison->pr_ip;
+		else
+			*ip = htonl(cred->cr_prison->pr_ip);
+		return (0);
+	}
 	if (cred->cr_prison->pr_ip != tmp)
 		return (1);
 	return (0);
@@ -139,7 +146,7 @@ prison_remote_ip(struct ucred *cred, int flag, u_int32_t *ip)
 		tmp = *ip;
 	else
 		tmp = ntohl(*ip);
-	if (tmp == 0x7f000001) {
+	if (tmp == INADDR_LOOPBACK) {
 		if (flag)
 			*ip = cred->cr_prison->pr_ip;
 		else