On Sat, Jan 26, 2019 at 05:52:46PM -0200, Martin Pieuchot wrote:
> If pfkeyv2_send() tries to send a message without a required extension
> or with a non-allowed extension it will silently fail. I spent many
> hours debugging the code exporting counters because of this. I'd like
> to return an error code instead.
>
> Ok?
Returning an error is the right thing. But I think EPERM is not
apropriate.
1 EPERM Operation not permitted. An attempt was made to perform an
operation limited to processes with appropriate privileges or to
the owner of a file or other resources.
Increasing privileges will not help. Other error cases in this
function use EINVAL. I think this is better as userland has supplied
invalid data.
anyway OK bluhm@
> Index: /sys/net/pfkeyv2.c
> ===================================================================
> RCS file: /cvs/src/sys/net/pfkeyv2.c,v
> retrieving revision 1.194
> diff -u -p -r1.194 pfkeyv2.c
> --- /sys/net/pfkeyv2.c 13 Jan 2019 14:31:55 -0000 1.194
> +++ /sys/net/pfkeyv2.c 26 Jan 2019 19:48:28 -0000
> @@ -2041,12 +2041,16 @@ ret:
> seen |= (1LL << i);
>
> if ((seen & sadb_exts_allowed_out[smsg->sadb_msg_type])
> - != seen)
> + != seen) {
> + rval = EPERM;
> goto realret;
> + }
>
> if ((seen & sadb_exts_required_out[smsg->sadb_msg_type]) !=
> - sadb_exts_required_out[smsg->sadb_msg_type])
> + sadb_exts_required_out[smsg->sadb_msg_type]) {
> + rval = EPERM;
> goto realret;
> + }
> }
>
> rval = pfkeyv2_sendmessage(headers, mode, so, 0, 0, rdomain);
