From 851176f9b29ec15b93533a745ebcd7a0999c3ade Mon Sep 17 00:00:00 2001
From: Mark Huang <mlhuang@cs.princeton.edu>
Date: Wed, 25 Aug 2004 18:40:36 +0000
Subject: [PATCH] Silently drop if VNET is active (if INET bind() has been
 overridden) and the context is not entitled to read the packet.

If a socket has been closed, the xid is set to -1; in this case,
consider the socket to be owned by root and allow the packet to pass.
---
 include/net/sock.h  | 10 ++++++++--
 net/ipv4/tcp_ipv4.c | 10 ++++++++--
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/include/net/sock.h b/include/net/sock.h
index ec26f83a6..f28b40077 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1070,15 +1070,21 @@ extern void sk_reset_timer(struct sock *sk, struct timer_list* timer,
 
 extern void sk_stop_timer(struct sock *sk, struct timer_list* timer);
 
+extern struct proto_ops inet_stream_ops;
+
+extern int inet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len);
+
 static inline int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
 {
 	int err = 0;
 	int skb_len;
 
-	/* Silently drop if the context is not entitled to read the
+	/* Silently drop if VNET is active (if INET bind() has been
+	 * overridden) and the context is not entitled to read the
 	 * packet.
 	 */
-	if (sk->sk_xid && sk->sk_xid != skb->xid)
+	if (inet_stream_ops.bind != inet_bind &&
+	    (int) sk->sk_xid >= 0 && sk->sk_xid != skb->xid)
 		goto out;
 
 	/* Cast skb->rcvbuf to unsigned... It's pointless, but reduces
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 97a0eeafc..504bbef97 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1763,6 +1763,10 @@ csum_err:
 	goto discard;
 }
 
+extern struct proto_ops inet_stream_ops;
+
+extern int inet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len);
+
 /*
  *	From tcp_input.c
  */
@@ -1814,10 +1818,12 @@ int tcp_v4_rcv(struct sk_buff *skb)
 		goto no_tcp_socket;
 
 process:
-	/* Silently drop if the context is not entitled to read the
+	/* Silently drop if VNET is active (if INET bind() has been
+	 * overridden) and the context is not entitled to read the
 	 * packet.
 	 */
-	if (sk->sk_xid && sk->sk_xid != skb->xid)
+	if (inet_stream_ops.bind != inet_bind &&
+	    (int) sk->sk_xid >= 0 && sk->sk_xid != skb->xid)
 		goto discard_it;
 
 	if (sk->sk_state == TCP_TIME_WAIT)
-- 
2.47.0