libnet/pa: don't set SO_REUSEADDR on UDP sockets #50669
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull Request Overview
This PR fixes a bug where the Docker Engine's port allocator could allow multiple UDP sockets to bind to the same port by preventing SO_REUSEADDR from being set on UDP sockets.
- Modified
bindTCPOrUDPfunction to only set SO_REUSEADDR for TCP sockets - Added a unit test to verify that duplicate UDP port binds are properly rejected
- Ensures port allocator correctly detects conflicts for UDP ports
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
daemon/libnetwork/portallocator/osallocator_linux.go |
Conditionally sets SO_REUSEADDR only for TCP protocol |
daemon/libnetwork/portallocator/osallocator_linux_test.go |
Adds test to verify UDP port binding exclusivity |
The userland proxy uses unconnected UDP sockets to receive packets from anywhere, so enabling SO_REUSEADDR means that multiple sockets can bind the same port. This defeats the purpose of the portallocator, which is supposed to ensure that the port is free and not already in use (either by us, or by another process). So, do not enable SO_REUSEADDR for UDP sockets. Signed-off-by: Albin Kerouanton <albinker@gmail.com>
b05df88 to
c6be4ad
Compare
vvoland
approved these changes
Aug 8, 2025
robmry
approved these changes
Aug 8, 2025
corhere
approved these changes
Aug 8, 2025
Member
Author
|
There's one buildkit job failing on Windows: But this PR only touches |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
- What I did
The userland proxy uses unconnected UDP sockets to receive packets from anywhere, so enabling SO_REUSEADDR means that multiple sockets can bind the same port. This defeats the purpose of the portallocator, which is supposed to ensure that the port is free and not already in use (either by us, or by another process). So, do not enable SO_REUSEADDR for UDP sockets.
- How to verify it
A new unit test is added to make sure that the same UDP port can't be bound more than once.
- Human readable description for the release notes
- Fix a bug that could cause the Engine and another host process to bind the same UDP port