Drop capabilities when `setsockopt` errors

Ensure that `set_privileged_socket_opt` drops capabilities even in the event
that `setsockopt` returns an error.

diff --git a/packet/construct_unix.c b/packet/construct_unix.c
index 0d3b1f2fa4b359e0760dfce5aacc01ddd9f0f528..95fefbaa4745a3ffe152d39a24e4de7afc2ca2e6 100644 (file)
--- a/packet/construct_unix.c
+++ b/packet/construct_unix.c
@@ -331,12 +331,10 @@ int set_privileged_socket_opt(int socket, int option_name,
     if (cap_set_proc(cap)) {
         goto cleanup_and_exit;
     }
-#endif /* ifdef HAVE_LIBPCAP */
+#endif /* ifdef HAVE_LIBCAP */
 
     // Set the socket mark
-    if (setsockopt(socket, SOL_SOCKET, option_name, option_value, option_len)) {
-        goto cleanup_and_exit;
-    }
+    int set_sock_err = setsockopt(socket, SOL_SOCKET, option_name, option_value, option_len);
 
     // Drop CAP_NET_ADMIN from the effective set if libcap is present
 #ifdef HAVE_LIBCAP
@@ -351,15 +349,16 @@ int set_privileged_socket_opt(int socket, int option_name,
     if (cap_set_proc(cap)) {
         goto cleanup_and_exit;
     }
-#endif /* ifdef HAVE_LIBPCAP */
-
-    result = 0; // Success
+#endif /* ifdef HAVE_LIBCAP */
 
-cleanup_and_exit:
+    if(!set_sock_err) {
+        result = 0; // Success
+    }
 
 #ifdef HAVE_LIBCAP
+cleanup_and_exit:
     cap_free(cap);
-#endif /* ifdef HAVE_LIBPCAP */
+#endif /* ifdef HAVE_LIBCAP */
 
     return result;
 }