[PATCH] epmd: include host address in local access check

Michael Santos <>
Thu Nov 25 01:38:04 CET 2010


In FreeBSD jails, the source and destination address of connections
to localhost are changed to be the IP address of the jail. Consider
connections from the host's IP address to itself (e.g., the source and
destination address match) to be local for the access control checks.

Reported-By: 
---
 erts/epmd/src/epmd_srv.c |   11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/erts/epmd/src/epmd_srv.c b/erts/epmd/src/epmd_srv.c
index ef471a4..ace736b 100644
--- a/erts/epmd/src/epmd_srv.c
+++ b/erts/epmd/src/epmd_srv.c
@@ -736,6 +736,7 @@ static int conn_open(EpmdVars *g,int fd)
   for (i = 0; i < g->max_conn; i++) {
     if (g->conn[i].open == EPMD_FALSE) {
       struct sockaddr_in si;
+      struct sockaddr_in di;
 #ifdef HAVE_SOCKLEN_T
       socklen_t st;
 #else
@@ -756,12 +757,16 @@ static int conn_open(EpmdVars *g,int fd)
       /* Determine if connection is from localhost */
       if (getpeername(s->fd,(struct sockaddr*) &si,&st) ||
 	  st < sizeof(si)) {
-	  /* Failure to get peername is regarder as non local host */
+	  /* Failure to get peername is regarded as non local host */
 	  s->local_peer = EPMD_FALSE;
       } else {
+	  /* Only 127.x.x.x and connections from the host's IP address
+	     allowed, no false positives */
 	  s->local_peer =
-	      ((((unsigned) ntohl(si.sin_addr.s_addr)) & 0xFF000000U) ==
-	       0x7F000000U); /* Only 127.x.x.x allowed, no false positives */
+	      (((((unsigned) ntohl(si.sin_addr.s_addr)) & 0xFF000000U) ==
+	       0x7F000000U) ||
+	       (getsockname(s->fd,(struct sockaddr*) &di,&st) ?
+	       EPMD_FALSE : si.sin_addr.s_addr == di.sin_addr.s_addr));
       }
       dbg_tty_printf(g,2,(s->local_peer) ? "Local peer connected" :
 		     "Non-local peer connected");
-- 
1.7.0.4



More information about the erlang-patches mailing list