git: 058bcb57cd4b - releng/14.3 - inpcb: Ignore SO_REUSEPORT_LB on connected sockets

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Mark Johnston <markj_at_FreeBSD.org>
Date: Wed, 22 Oct 2025 15:51:57 UTC
The branch releng/14.3 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=058bcb57cd4b7e855cd596316541aff0adc5ddcf

commit 058bcb57cd4b7e855cd596316541aff0adc5ddcf
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-10-06 13:37:47 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-10-22 15:50:47 +0000

    inpcb: Ignore SO_REUSEPORT_LB on connected sockets
    
    While TCP disallows connect()ing a socket with SO_REUSEPORT_LB, UDP does
    not.  As a result, a connected UDP socket can be placed in the lbgroup
    hash and thus receive datagrams from sources other than the connected
    host.
    
    Reported by:    Amit Klein <amit.klein@mail.huji.ac.il>
    Reported by:    Omer Ben Simhon <omer.bensimhon@mail.huji.ac.il>
    Reviewed by:    glebius
    Approved by:    so
    Security:       FreeBSD-SA-25:09.netinet
    Security:       CVE-2025-24934
    
    (cherry picked from commit 320ad3dec5ff1b37f6907a47961c18b9d77e6a53)
    (cherry picked from commit e276759b368701a49e543c45d5d6ea08ed4fbc38)
---
 sys/netinet/in_pcb.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
index 89000a521bff..7d665c7d2a73 100644
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@@ -2702,10 +2702,13 @@ in_pcbinshash(struct inpcb *inp)
 	    INP_PCBPORTHASH(inp->inp_lport, pcbinfo->ipi_porthashmask)];
 
 	/*
-	 * Add entry to load balance group.
-	 * Only do this if SO_REUSEPORT_LB is set.
+	 * Ignore SO_REUSEPORT_LB if the socket is connected.  Really this case
+	 * should be an error, but for UDP sockets it is not, and some
+	 * applications erroneously set it on connected UDP sockets, so we can't
+	 * change this without breaking compatibility.
 	 */
-	if ((inp->inp_socket->so_options & SO_REUSEPORT_LB) != 0) {
+	if (!connected &&
+	    (inp->inp_socket->so_options & SO_REUSEPORT_LB) != 0) {
 		int error = in_pcbinslbgrouphash(inp, M_NODOM);
 		if (error != 0)
 			return (error);
@@ -2836,6 +2839,10 @@ in_pcbrehash(struct inpcb *inp)
 		connected = !in_nullhost(inp->inp_faddr);
 	}
 
+	/* See the comment in in_pcbinshash(). */
+	if (connected && (inp->inp_flags & INP_INLBGROUP) != 0)
+		in_pcbremlbgrouphash(inp);
+
 	/*
 	 * When rehashing, the caller must ensure that either the new or the old
 	 * foreign address was unspecified.