svn commit: r213249 - stable/6/sys/netinet

[Bjoern A. Zeeb]

Author: bz
Date: Tue Sep 28 19:17:39 2010
New Revision: 213249
URL: http://svn.freebsd.org/changeset/base/213249

Log:
  r201663 introduced a bug in stable/6 that prison_ip() might change the
  passed address argument, while we are only interested in whether it is a
  valid address of the jail.
  This can modify an address in the live interface address list with an
  address of the jail.  Make a copy of the address for the call to
  prison_ip() to avoid this.
  
  Reported by:	Andreas Longwitz (longwitz incore.de)
  Tested by:	Andreas Longwitz (longwitz incore.de)
  PR:		kern/114325

Modified:
  stable/6/sys/netinet/in.c

Modified: stable/6/sys/netinet/in.c
==============================================================================
--- stable/6/sys/netinet/in.c	Tue Sep 28 15:33:30 2010	(r213248)
+++ stable/6/sys/netinet/in.c	Tue Sep 28 19:17:39 2010	(r213249)
@@ -252,12 +252,15 @@ in_control(so, cmd, data, ifp, td)
 	 * the first one on the interface, if possible.
 	 */
 	if (ifp) {
+		struct in_addr tmp;
+
 		dst = ((struct sockaddr_in *)&ifr->ifr_addr)->sin_addr;
 		LIST_FOREACH(iap, INADDR_HASH(dst.s_addr), ia_hash)
 			if (iap->ia_ifp == ifp &&
 			    iap->ia_addr.sin_addr.s_addr == dst.s_addr) {
+				tmp.s_addr = dst.s_addr;
 				if (td == NULL || !prison_ip(
-				    td->td_ucred, 0, &dst.s_addr))
+				    td->td_ucred, 0, &tmp.s_addr))
 					ia = iap;
 				break;
 			}
@@ -265,9 +268,11 @@ in_control(so, cmd, data, ifp, td)
 			TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
 				iap = ifatoia(ifa);
 				if (iap->ia_addr.sin_family == AF_INET) {
+					tmp.s_addr =
+					    iap->ia_addr.sin_addr.s_addr;
 					if (td != NULL &&
 					    prison_ip(td->td_ucred, 0,
-					    &iap->ia_addr.sin_addr.s_addr))
+					    &tmp.s_addr))
 						continue;
 					ia = iap;
 					break;