From 282a4dd52b337dccfb578e9d32dd1005c864dd8d Mon Sep 17 00:00:00 2001
From: Ghanan Gowripalan <ghanan@google.com>
Date: Thu, 16 Sep 2021 11:50:51 -0700
Subject: Don't allow binding to broadcast on ICMP sockets

...to match Linux behaviour.

Fixes #5711.

PiperOrigin-RevId: 397132671
---
 pkg/tcpip/transport/icmp/endpoint.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'pkg/tcpip/transport/icmp')

diff --git a/pkg/tcpip/transport/icmp/endpoint.go b/pkg/tcpip/transport/icmp/endpoint.go
index 00497bf07..1e519085d 100644
--- a/pkg/tcpip/transport/icmp/endpoint.go
+++ b/pkg/tcpip/transport/icmp/endpoint.go
@@ -688,9 +688,20 @@ func (e *endpoint) bindLocked(addr tcpip.FullAddress) tcpip.Error {
 	return nil
 }
 
+func (e *endpoint) isBroadcastOrMulticast(nicID tcpip.NICID, addr tcpip.Address) bool {
+	return addr == header.IPv4Broadcast ||
+		header.IsV4MulticastAddress(addr) ||
+		header.IsV6MulticastAddress(addr) ||
+		e.stack.IsSubnetBroadcast(nicID, e.NetProto, addr)
+}
+
 // Bind binds the endpoint to a specific local address and port.
 // Specifying a NIC is optional.
 func (e *endpoint) Bind(addr tcpip.FullAddress) tcpip.Error {
+	if len(addr.Addr) != 0 && e.isBroadcastOrMulticast(addr.NIC, addr.Addr) {
+		return &tcpip.ErrBadLocalAddress{}
+	}
+
 	e.mu.Lock()
 	defer e.mu.Unlock()
 
-- 
cgit v1.2.3