K 10
svn:author
V 7
glebius
K 8
svn:date
V 27
2012-10-24T10:28:12.644474Z
K 7
svn:log
V 1892
Merge r240234, r240271, r240734 from head:

r240234:
  The first part of check_priv() function, that attempts to obtain creds
  from the control message, actually never worked. This means check_priv()
  didn't work for local dgram sockets.

  The SCM_CREDS control messages is received only in two cases:

  1) If we did setsockopt(LOCAL_CREDS) on our socket, and in this case
     the message is struct sockcred.
  2) If sender did supplied SCM_CREDS control message in his sendmsg()
     syscall. In this case the message is struct cmsgcred.

  We can't rely on 2), so we will use 1) for dgram sockets. For stream
  sockets it is more reliable to obtain accept-time credentials, since
  SCM_CREDS control message is attached only on first read. Thus:

  o Do setsockopt(LOCAL_CREDS) on local dgram sockets.
  o Split check_priv() into check_priv_stream() and check_priv_dgram(),
    and call them from recv_stream() and recv_dgram() respectively.
  o Don't provide space for SCM_CREDS control message in recv_stream().
  o Provide space for SCM_CREDS control message in recv_dgram(), but there
    is no need to initialize anything in it.
  o In recv_dgram() do not blindly expect that first message is SCM_CREDS,
    instead use correct search cycle through control messages.

r240271:
  For UDP transport set IP_RECVDSTADDR sockopt on the socket, and provide
  IP_SENDSRCADDR control with datagram message we reply with. This makes
  bsnmpd reply from exactly same address that request was sent to, thus
  successfully bypassing stateful firewalls or other kinds of strict checking.

r240734:
  Re-do r240271:
  - Set IP_RECVDSTADDR sockopt on the socket only in case if
    it is INADDR_ANY bound.
  - Supply IP_SENDSRCADDR control message only if we did receive
    IP_RECVDSTADDR control message.

  This fixes operation of snmpd bound to a specific local IP address.

PR:		bin/171279

END