Continue effort to improve parity between UDPv4 and UDPv6: add a missing

scope security check for the UDPv6 socket credential lookup service,
allowing security policies to bound access to credential information.
While not an immediate issue for Jail, which doesn't allow use of UDPv6,
this may be relevant to other security policies that may wish to control
ident lookups.

While here, eliminate a very unlikely panic case, in which a socket in
the process of being freed is inspected by the sysctl.

Approved by:	re (kensmith)
Reviewed by:	bz

1 files changed, 10 insertions, 6 deletions

diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c
index 585b2b4..8910092 100644
--- a/sys/netinet6/udp6_usrreq.c
+++ b/sys/netinet6/udp6_usrreq.c
@@ -454,15 +454,19 @@ udp6_getcred(SYSCTL_HANDLER_ARGS)
 		return (ENOENT);
 	}
 	INP_LOCK(inp);
-	KASSERT(inp->inp_socket != NULL,
-	    ("udp6_getcred: inp_socket == NULL"));
-	/*
-	 * XXXRW: There should be a scoping access control check here.
-	 */
+	if (inp->inp_socket == NULL) {
+		error = ENOENT;
+		goto out;
+	}
+	error = cr_canseesocket(req->td->td_ucred, inp->inp_socket);
+	if (error)
+		goto out;
 	cru2x(inp->inp_socket->so_cred, &xuc);
+out:
 	INP_UNLOCK(inp);
 	INP_INFO_RUNLOCK(&udbinfo);
-	error = SYSCTL_OUT(req, &xuc, sizeof(struct xucred));
+	if (error == 0)
+		error = SYSCTL_OUT(req, &xuc, sizeof(struct xucred));
 	return (error);
 }