diff options
author | Ivan Skytte Jorgensen <isj-sctp@i1.dk> | 2005-10-28 18:39:02 -0400 |
---|---|---|
committer | Sridhar Samudrala <sri@us.ibm.com> | 2005-10-28 18:39:02 -0400 |
commit | 64a0c1c81e300f0f56f26604c81040784e3717f0 (patch) | |
tree | 845863e5b3fc06a9de54104f32e28bbe914ee44a /net/sctp | |
parent | 96a339985d4c6874d32909e8f1903e6e6c141399 (diff) |
[SCTP] Do not allow unprivileged programs initiating new associations on
privileged ports.
Signed-off-by: Ivan Skytte Jorgensen <isj-sctp@i1.dk>
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Diffstat (limited to 'net/sctp')
-rw-r--r-- | net/sctp/socket.c | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 97b556c1c450..b529af5e6f2a 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c | |||
@@ -1010,6 +1010,19 @@ static int __sctp_connect(struct sock* sk, | |||
1010 | err = -EAGAIN; | 1010 | err = -EAGAIN; |
1011 | goto out_free; | 1011 | goto out_free; |
1012 | } | 1012 | } |
1013 | } else { | ||
1014 | /* | ||
1015 | * If an unprivileged user inherits a 1-many | ||
1016 | * style socket with open associations on a | ||
1017 | * privileged port, it MAY be permitted to | ||
1018 | * accept new associations, but it SHOULD NOT | ||
1019 | * be permitted to open new associations. | ||
1020 | */ | ||
1021 | if (ep->base.bind_addr.port < PROT_SOCK && | ||
1022 | !capable(CAP_NET_BIND_SERVICE)) { | ||
1023 | err = -EACCES; | ||
1024 | goto out_free; | ||
1025 | } | ||
1013 | } | 1026 | } |
1014 | 1027 | ||
1015 | scope = sctp_scope(&to); | 1028 | scope = sctp_scope(&to); |
@@ -1515,6 +1528,19 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk, | |||
1515 | err = -EAGAIN; | 1528 | err = -EAGAIN; |
1516 | goto out_unlock; | 1529 | goto out_unlock; |
1517 | } | 1530 | } |
1531 | } else { | ||
1532 | /* | ||
1533 | * If an unprivileged user inherits a one-to-many | ||
1534 | * style socket with open associations on a privileged | ||
1535 | * port, it MAY be permitted to accept new associations, | ||
1536 | * but it SHOULD NOT be permitted to open new | ||
1537 | * associations. | ||
1538 | */ | ||
1539 | if (ep->base.bind_addr.port < PROT_SOCK && | ||
1540 | !capable(CAP_NET_BIND_SERVICE)) { | ||
1541 | err = -EACCES; | ||
1542 | goto out_unlock; | ||
1543 | } | ||
1518 | } | 1544 | } |
1519 | 1545 | ||
1520 | scope = sctp_scope(&to); | 1546 | scope = sctp_scope(&to); |