diff options
| author | Ghanan Gowripalan <ghanan@google.com> | 2021-09-16 11:50:51 -0700 |
|---|---|---|
| committer | gVisor bot <gvisor-bot@google.com> | 2021-09-16 11:53:49 -0700 |
| commit | 282a4dd52b337dccfb578e9d32dd1005c864dd8d (patch) | |
| tree | 63323d5ce90d63c72ab23f579e75939c76ff9a51 | |
| parent | eb07b91e61ca47ecf6b9b3122a5527817cc74211 (diff) | |
Don't allow binding to broadcast on ICMP sockets
...to match Linux behaviour.
Fixes #5711.
PiperOrigin-RevId: 397132671
| -rw-r--r-- | pkg/tcpip/transport/icmp/endpoint.go | 11 | ||||
| -rw-r--r-- | test/syscalls/linux/ping_socket.cc | 6 |
2 files changed, 11 insertions, 6 deletions
diff --git a/pkg/tcpip/transport/icmp/endpoint.go b/pkg/tcpip/transport/icmp/endpoint.go index 00497bf07..1e519085d 100644 --- a/pkg/tcpip/transport/icmp/endpoint.go +++ b/pkg/tcpip/transport/icmp/endpoint.go @@ -688,9 +688,20 @@ func (e *endpoint) bindLocked(addr tcpip.FullAddress) tcpip.Error { return nil } +func (e *endpoint) isBroadcastOrMulticast(nicID tcpip.NICID, addr tcpip.Address) bool { + return addr == header.IPv4Broadcast || + header.IsV4MulticastAddress(addr) || + header.IsV6MulticastAddress(addr) || + e.stack.IsSubnetBroadcast(nicID, e.NetProto, addr) +} + // Bind binds the endpoint to a specific local address and port. // Specifying a NIC is optional. func (e *endpoint) Bind(addr tcpip.FullAddress) tcpip.Error { + if len(addr.Addr) != 0 && e.isBroadcastOrMulticast(addr.NIC, addr.Addr) { + return &tcpip.ErrBadLocalAddress{} + } + e.mu.Lock() defer e.mu.Unlock() diff --git a/test/syscalls/linux/ping_socket.cc b/test/syscalls/linux/ping_socket.cc index 684983a4c..025c9568f 100644 --- a/test/syscalls/linux/ping_socket.cc +++ b/test/syscalls/linux/ping_socket.cc @@ -128,9 +128,6 @@ std::vector<std::tuple<SocketKind, BindTestCase>> ICMPTestCases() { { .bind_to = V4Broadcast(), .want = EADDRNOTAVAIL, - // TODO(gvisor.dev/issue/5711): Remove want_gvisor once ICMP - // sockets are no longer allowed to bind to broadcast addresses. - .want_gvisor = 0, }, { .bind_to = V4Loopback(), @@ -139,9 +136,6 @@ std::vector<std::tuple<SocketKind, BindTestCase>> ICMPTestCases() { { .bind_to = V4LoopbackSubnetBroadcast(), .want = EADDRNOTAVAIL, - // TODO(gvisor.dev/issue/5711): Remove want_gvisor once ICMP - // sockets are no longer allowed to bind to broadcast addresses. - .want_gvisor = 0, }, { .bind_to = V4Multicast(), |