mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-10 15:10:38 +00:00
[SCTP] Do not allow unprivileged programs initiating new associations on
privileged ports. Signed-off-by: Ivan Skytte Jorgensen <isj-sctp@i1.dk> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
This commit is contained in:
parent
96a339985d
commit
64a0c1c81e
@ -1010,6 +1010,19 @@ static int __sctp_connect(struct sock* sk,
|
|||||||
err = -EAGAIN;
|
err = -EAGAIN;
|
||||||
goto out_free;
|
goto out_free;
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
/*
|
||||||
|
* If an unprivileged user inherits a 1-many
|
||||||
|
* style socket with open associations on a
|
||||||
|
* privileged port, it MAY be permitted to
|
||||||
|
* accept new associations, but it SHOULD NOT
|
||||||
|
* be permitted to open new associations.
|
||||||
|
*/
|
||||||
|
if (ep->base.bind_addr.port < PROT_SOCK &&
|
||||||
|
!capable(CAP_NET_BIND_SERVICE)) {
|
||||||
|
err = -EACCES;
|
||||||
|
goto out_free;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
scope = sctp_scope(&to);
|
scope = sctp_scope(&to);
|
||||||
@ -1515,6 +1528,19 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
|
|||||||
err = -EAGAIN;
|
err = -EAGAIN;
|
||||||
goto out_unlock;
|
goto out_unlock;
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
/*
|
||||||
|
* If an unprivileged user inherits a one-to-many
|
||||||
|
* style socket with open associations on a privileged
|
||||||
|
* port, it MAY be permitted to accept new associations,
|
||||||
|
* but it SHOULD NOT be permitted to open new
|
||||||
|
* associations.
|
||||||
|
*/
|
||||||
|
if (ep->base.bind_addr.port < PROT_SOCK &&
|
||||||
|
!capable(CAP_NET_BIND_SERVICE)) {
|
||||||
|
err = -EACCES;
|
||||||
|
goto out_unlock;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
scope = sctp_scope(&to);
|
scope = sctp_scope(&to);
|
||||||
|
Loading…
x
Reference in New Issue
Block a user