From f52b582248f1f870e870a9973621805d969906b4 Mon Sep 17 00:00:00 2001 From: Petr Vorel Date: Tue, 9 Nov 2021 02:39:56 +0100 Subject: [PATCH] ping6: Avoid binding to non-VRF This fixes permission issue when specifying just address (without VRF) unless having CAP_NET_ADMIN (i.e. root) permission: $ ./builddir/ping/ping -c1 -I lo ::1 ./builddir/ping/ping: SO_BINDTODEVICE lo: Operation not permitted because setsockopt() SO_BINDTODEVICE (similar to bind()) can be only done on opt_strictsource. Fixes: 7c65999 ("ping: Fix ping6 binding to VRF and address") Signed-off-by: Petr Vorel Conflict: Modifying "rts->opt_strictsource" to "options & F_STRICTSOURCE" and "rts->device" to "device","ping/ping6_common.c" to "ping6_common.c" Reference: https://github.com/iputils/iputils/commit/f52b582248f1f870e870a9973621805d969906b4.patch --- ping6_common.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/ping6_common.c b/ping6_common.c index 4eaa4f6..eb7ca70 100644 --- a/ping6_common.c +++ b/ping6_common.c @@ -691,14 +691,16 @@ int ping6_run(int argc, char **argv, struct addrinfo *ai, struct socket_st *sock memset(ipi, 0, sizeof(*ipi)); ipi->ipi6_ifindex = if_name2index(device); - enable_capability_raw(); - rc = setsockopt(sock->fd, SOL_SOCKET, SO_BINDTODEVICE, - device, strlen(device) + 1); - errno_save = errno; - disable_capability_raw(); - - if (rc == -1) - error(2, errno_save, "SO_BINDTODEVICE %s", device); + if (options & F_STRICTSOURCE) { + enable_capability_raw(); + rc = setsockopt(sock->fd, SOL_SOCKET, SO_BINDTODEVICE, + device, strlen(device) + 1); + errno_save = errno; + disable_capability_raw(); + + if (rc == -1) + error(2, errno_save, "SO_BINDTODEVICE %s", device); + } } if ((whereto.sin6_addr.s6_addr16[0] & htons(0xff00)) == htons(0xff00)) { -- 2.27.0