Disable remote TCP connections

For security reasons, TCP sockets now listen on the loopback
IPv4 address 127.0.0.1 for incoming TCP connections.

Bug: 23272146
Change-Id: I88523f643f305f2281740575d7011b6077bf0843

diff --git a/osi/include/socket.h b/osi/include/socket.h
index e2d0888..2833290 100644 (file)
--- a/osi/include/socket.h
+++ b/osi/include/socket.h
@@ -45,8 +45,8 @@ socket_t *socket_new_from_fd(int fd);
 void socket_free(socket_t *socket);
 
 // Puts |socket| in listening mode for incoming TCP connections on the specified
-// |port|. Returns true on success, false on failure (e.g. |port| is bound by
-// another socket). |socket| may not be NULL.
+// |port| and the loopback IPv4 address. Returns true on success, false on
+// failure (e.g. |port| is bound by another socket). |socket| may not be NULL.
 bool socket_listen(const socket_t *socket, port_t port);
 
 // Blocks on a listening socket, |socket|, until a client connects to it. Returns

diff --git a/osi/src/socket.c b/osi/src/socket.c
index 8841d56..91f084e 100644 (file)
--- a/osi/src/socket.c
+++ b/osi/src/socket.c
@@ -34,6 +34,9 @@
 #include "osi/include/reactor.h"
 #include "osi/include/socket.h"
 
+// The IPv4 loopback address: 127.0.0.1
+static const in_addr_t LOCALHOST_ = 0x7f000001;
+
 struct socket_t {
   int fd;
   reactor_object_t *reactor_object;
@@ -100,7 +103,7 @@ bool socket_listen(const socket_t *socket, port_t port) {
 
   struct sockaddr_in addr;
   addr.sin_family = AF_INET;
-  addr.sin_addr.s_addr = 0;
+  addr.sin_addr.s_addr = htonl(LOCALHOST_);
   addr.sin_port = htons(port);
   if (bind(socket->fd, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
     LOG_ERROR("%s unable to bind socket to port %u: %s", __func__, port, strerror(errno));