[Swan-dev] why do we bother checking out_raw() et.al.'s result?
Andrew Cagney
andrew.cagney at gmail.com
Fri Sep 21 16:18:30 UTC 2018
I'm wondering why we bother to write code like:
return ikev1_out_generic(np, &isakmp_keyex_desc, outs, &z) &&
out_zero(g->len, &z, "fake g^x") &&
(close_output_pbs(&z), TRUE);
that goes out of its way to terminate the construction of a packet the
moment there is a whiff of a problem (er, just noticed that in my
example, which really was chosen at random, there is a subtle quirk!)
when we could simply write:
ikev1_out_generic(np, &isakmp_keyex_desc, outs, &z);
out_zero(g->len, &z, "fake g^x");
close_output_pbs(&z);
after all, what could possibly go wrong? This is what I came up with:
- calling an out function after a fail will core dump
hopefully that isn't true - that code path needs to be robust
regardless (I'm sure if I look I can find more code like the above
where a status is ignored)
- pluto must never knowingly send out a corrupt packet (reflection
attack and all that)
(but I want to :-) so drop the packet as it goes out the door
- the state machine will get confused because a packet was sent when it wasn't
First, this is no different to a MITM attack (where packets get
corrupted/dropped without our knowledge) - we get to deal.
Second, if the SA should be killed, then inject a KILL-SA event rather
than trying to handle it in-line.
Andrew
More information about the Swan-dev
mailing list