diff options
author | rwatson <rwatson@FreeBSD.org> | 2008-05-22 07:18:54 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2008-05-22 07:18:54 +0000 |
commit | 60b4eaf522405eafec6ba998afa8f7eaa4919166 (patch) | |
tree | cfbaa2620cd1238e7a9b636dec8e6212b6389a11 /sys/kern/uipc_syscalls.c | |
parent | a7b5cc6647e71c6885fd4984d8b34e02b065187a (diff) | |
download | FreeBSD-src-60b4eaf522405eafec6ba998afa8f7eaa4919166.zip FreeBSD-src-60b4eaf522405eafec6ba998afa8f7eaa4919166.tar.gz |
When sendto(2) is called with an explicit destination address
argument, call mac_socket_check_connect() on that address before
proceeding with the send. Otherwise policies instrumenting the
connect entry point for the purposes of checking destination
addresses will not have the opportunity to check implicit
connect requests.
MFC after: 3 weeks
Sponsored by: nCircle Network Security, Inc.
Diffstat (limited to 'sys/kern/uipc_syscalls.c')
-rw-r--r-- | sys/kern/uipc_syscalls.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c index 0599b22..994605b 100644 --- a/sys/kern/uipc_syscalls.c +++ b/sys/kern/uipc_syscalls.c @@ -750,7 +750,11 @@ kern_sendit(td, s, mp, flags, control, segflg) #ifdef MAC SOCK_LOCK(so); - error = mac_socket_check_send(td->td_ucred, so); + if (mp->msg_name != NULL) + error = mac_socket_check_connect(td->td_ucred, so, + mp->msg_name); + if (error == 0) + error = mac_socket_check_send(td->td_ucred, so); SOCK_UNLOCK(so); if (error) goto bad; |