From: flu0r1ne <flu0r1ne@flu0r1ne.net>
Date: Tue, 3 Oct 2023 01:16:28 +0000 (-0500)
Subject: Drop capabilities when `setsockopt` errors
X-Git-Tag: v0.96~21^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=54abd964b7dd93cfdca97b7a4aed6b8367b913a5;p=thirdparty%2Fmtr.git

Drop capabilities when `setsockopt` errors

Ensure that `set_privileged_socket_opt` drops capabilities even in the event
that `setsockopt` returns an error.
---

diff --git a/packet/construct_unix.c b/packet/construct_unix.c
index 0d3b1f2..95fefba 100644
--- a/packet/construct_unix.c
+++ b/packet/construct_unix.c
@@ -331,12 +331,10 @@ int set_privileged_socket_opt(int socket, int option_name,
     if (cap_set_proc(cap)) {
         goto cleanup_and_exit;
     }
-#endif /* ifdef HAVE_LIBPCAP */
+#endif /* ifdef HAVE_LIBCAP */
 
     // Set the socket mark
-    if (setsockopt(socket, SOL_SOCKET, option_name, option_value, option_len)) {
-        goto cleanup_and_exit;
-    }
+    int set_sock_err = setsockopt(socket, SOL_SOCKET, option_name, option_value, option_len);
 
     // Drop CAP_NET_ADMIN from the effective set if libcap is present
 #ifdef HAVE_LIBCAP
@@ -351,15 +349,16 @@ int set_privileged_socket_opt(int socket, int option_name,
     if (cap_set_proc(cap)) {
         goto cleanup_and_exit;
     }
-#endif /* ifdef HAVE_LIBPCAP */
-
-    result = 0; // Success
+#endif /* ifdef HAVE_LIBCAP */
 
-cleanup_and_exit:
+    if(!set_sock_err) {
+        result = 0; // Success
+    }
 
 #ifdef HAVE_LIBCAP
+cleanup_and_exit:
     cap_free(cap);
-#endif /* ifdef HAVE_LIBPCAP */
+#endif /* ifdef HAVE_LIBCAP */
 
     return result;
 }