When checking for possible port theft, skip over a TCP inpcb

unless it's in the closed or listening state (remote address
== INADDR_ANY).

If a TCP inpcb is in any other state, it's impossible to steal
its local port or use it for port theft.  And if there are
both closed/listening and connected TCP inpcbs on the same
localIP:port couple, the call to in_pcblookup_local() will
find the former due to the design of that function.

No objections raised in:	-net, -arch
MFC after:			1 month

1 files changed, 3 insertions, 7 deletions

diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
index c68ed23..d957307 100644
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@@ -332,14 +332,10 @@ in_pcbbind_setup(inp, nam, laddrp, lportp, cred)
 	 * XXX
 	 * This entire block sorely needs a rewrite.
 	 */
-				if (t && (t->inp_vflag & INP_TIMEWAIT)) {
-					if ((ntohl(sin->sin_addr.s_addr) != INADDR_ANY ||
-					    ntohl(t->inp_laddr.s_addr) != INADDR_ANY ||
-					    (intotw(t)->tw_so_options & SO_REUSEPORT) == 0) &&
-					    (so->so_cred->cr_uid != intotw(t)->tw_cred->cr_uid))
-						return (EADDRINUSE);
-				} else
 				if (t &&
+				    ((t->inp_vflag & INP_TIMEWAIT) == 0) &&
+				    (so->so_type != SOCK_STREAM ||
+				     ntohl(t->inp_faddr.s_addr) == INADDR_ANY) &&
 				    (ntohl(sin->sin_addr.s_addr) != INADDR_ANY ||
 				     ntohl(t->inp_laddr.s_addr) != INADDR_ANY ||
 				     (t->inp_socket->so_options &