Re: [PATCH 2/2] man/send(2): document a long standing bug that can cause spurious EPERM errors

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2013/03/19 19:12, Pablo Neira Ayuso wrote:
On Tue, Mar 19, 2013 at 03:52:40PM +0900, Fernando Luis Vázquez Cao wrote:
Subject: [PATCH 2/2] man/send(2): document a long standing bug that can cause spurious EPERM errors

This bug has been known since early 2009 (the latest) and  discussed in
netdev before:

http://marc.info/?l=linux-netdev&w=2&r=1&s=Possible+race+condition+in+conntracking+&q=b

It seems that a proper fix would be non trivial, so document the bug
in the meantime.

Reported-by: Hirotaka Sasaki <sasaki.hirotaka@xxxxxxxxxxxxx>
Signed-off-by: Fernando Luis Vazquez Cao <fernando@xxxxxxxxxxxxx>
---

diff -urNp man-pages-3.50-orig/man2/send.2 man-pages-3.50/man2/send.2
--- man-pages-3.50-orig/man2/send.2	2013-03-19 15:18:03.784306647 +0900
+++ man-pages-3.50/man2/send.2	2013-03-19 15:30:40.788060426 +0900
@@ -420,6 +420,11 @@ Linux may return
  .B EPIPE
  instead of
  .BR ENOTCONN .
+
+Linux may return spurious
+.B EPERM
+errors when netfilter's conntrack module is loaded and two or more
+UDP packets belonging to the same connection are processed in parallel.
The Connection tracking system may drop packets for different reasons
under rare circunstances, not only in this case.
I'd prefer if you only apply patch 1/2.

I'd agree with you if we *silently* dropped packets in such
situations, but unfortunately that's not the case.

The problem is that sometimes we end up returning spurious EPERM
errors to user space. Applications may (and many actually do)
interpret EPERM as "an attempt was made to perform an operation
limited to processes with appropriate privileges or to the owner of a
file or other resource" and just bail out after seeing the first
EPERM; after all, if its cause is system policy-related there is no
point in retrying. Spurious EPERM errors would break such (perfectly
compliant) applications, so the least we can do is document them
properly.

Thanks,
Fernando
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux