From 54abd964b7dd93cfdca97b7a4aed6b8367b913a5 Mon Sep 17 00:00:00 2001
From: flu0r1ne <flu0r1ne@flu0r1ne.net>
Date: Mon, 2 Oct 2023 20:16:28 -0500
Subject: [PATCH] Drop capabilities when `setsockopt` errors

Ensure that `set_privileged_socket_opt` drops capabilities even in the event
that `setsockopt` returns an error.
---
 packet/construct_unix.c | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/packet/construct_unix.c b/packet/construct_unix.c
index 0d3b1f2..95fefba 100644
--- a/packet/construct_unix.c
+++ b/packet/construct_unix.c
@@ -331,12 +331,10 @@ int set_privileged_socket_opt(int socket, int option_name,
     if (cap_set_proc(cap)) {
         goto cleanup_and_exit;
     }
-#endif /* ifdef HAVE_LIBPCAP */
+#endif /* ifdef HAVE_LIBCAP */
 
     // Set the socket mark
-    if (setsockopt(socket, SOL_SOCKET, option_name, option_value, option_len)) {
-        goto cleanup_and_exit;
-    }
+    int set_sock_err = setsockopt(socket, SOL_SOCKET, option_name, option_value, option_len);
 
     // Drop CAP_NET_ADMIN from the effective set if libcap is present
 #ifdef HAVE_LIBCAP
@@ -351,15 +349,16 @@ int set_privileged_socket_opt(int socket, int option_name,
     if (cap_set_proc(cap)) {
         goto cleanup_and_exit;
     }
-#endif /* ifdef HAVE_LIBPCAP */
-
-    result = 0; // Success
+#endif /* ifdef HAVE_LIBCAP */
 
-cleanup_and_exit:
+    if(!set_sock_err) {
+        result = 0; // Success
+    }
 
 #ifdef HAVE_LIBCAP
+cleanup_and_exit:
     cap_free(cap);
-#endif /* ifdef HAVE_LIBPCAP */
+#endif /* ifdef HAVE_LIBCAP */
 
     return result;
 }
-- 
2.47.2