[Swan-dev] why do we bother checking out_raw() et.al.'s result?

Andrew Cagney andrew.cagney at gmail.com
Fri Sep 21 16:18:30 UTC 2018

I'm wondering why we bother to write code like:

        return ikev1_out_generic(np, &isakmp_keyex_desc, outs, &z) &&
            out_zero(g->len, &z, "fake g^x") &&
            (close_output_pbs(&z), TRUE);

that goes out of its way to terminate the construction of a packet the
moment there is a whiff of a problem (er, just noticed that in my
example, which really was chosen at random, there is a subtle quirk!)
when we could simply write:

       ikev1_out_generic(np, &isakmp_keyex_desc, outs, &z);
       out_zero(g->len, &z, "fake g^x");

after all, what could possibly go wrong?  This is what I came up with:

- calling an out function after a fail will core dump
hopefully that isn't true - that code path needs to be robust
regardless (I'm sure if I look I can find more code like the above
where a status is ignored)

- pluto must never knowingly send out a corrupt packet (reflection
attack and all that)
(but I want to :-) so drop the packet as it goes out the door

- the state machine will get confused because a packet was sent when it wasn't
First, this is no different to a MITM attack (where packets get
corrupted/dropped without our knowledge) - we get to deal.
Second, if the SA should be killed, then inject a KILL-SA event rather
than trying to handle it in-line.


More information about the Swan-dev mailing list