mtr-packet: drop capabilities + using BSD's linked lists for probes

At startup, we now use cap_set_proc to drop all privileged
capabilities for the mtr-packet process.  This means that
capabilities granted through the commandline setcap to the
mtr-packet executable will only be in effect while the necessary
raw sockets are opened, and will be dropped before any command
requests are read.

Now we use BSD's queue.h linked list support for storing outstanding
probes.  This makes iterating through in-flight probes more efficient,
as we don't need to loop through many unused probe entires when only
a few probes are outstanding.

Changed mtr-packet's default probe size to 64 bytes, to match
mainline mtr's default.

The code consistently uses 'exit(EXIT_FAILURE)' instead of 'exit(1)'.
The effect is the same, but the intent is clearer.

Author: matt-kimball

BSDCOPYING

@@ -0,0 +1,30 @@
+Portions of this software have the following copyright.
+
+--
+
+Copyright (c) 1991, 1993
+	The Regents of the University of California.  All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in the
+    documentation and/or other materials provided with the distribution.
+ 4. Neither the name of the University nor the names of its contributors
+    may be used to endorse or promote products derived from this software
+    without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGE.

Makefile.am

@@ -1,4 +1,5 @@
 EXTRA_DIST = \
+	BSDCOPYING \
 	SECURITY \
 	mtr.bat \
 	img/mtr_icon.xpm
@@ -97,18 +98,21 @@ mtr_packet_SOURCES = \
 	packet/timeval.c packet/timeval.h \
 	packet/wait.h
 
+mtr_packet_LDADD = $(CAP_LIBS)
+
 
 if CYGWIN
 
 mtr_packet_SOURCES += \
 	packet/command_cygwin.c packet/command_cygwin.h \
 	packet/probe_cygwin.c packet/probe_cygwin.h \
 	packet/wait_cygwin.c
-mtr_packet_LDADD = -lcygwin -liphlpapi -lws2_32
+mtr_packet_LDADD += -lcygwin -liphlpapi -lws2_32
 
 dist_windows_aux = \
 	$(srcdir)/mtr.bat \
 	$(srcdir)/AUTHORS \
+	$(srcdir)/BSDCOPYING \
 	$(srcdir)/COPYING \
 	$(srcdir)/README \
 	$(srcdir)/NEWS

SECURITY

@@ -44,6 +44,8 @@ justified.  mtr-packet does the following two things after it is launched:
    ICMP packets.
 *  mtr-packet drops root privileges by setting the effective uid to
    match uid or the user calling mtr.
+*  If capabilities support is availabe, mtr-packet drops all privileged
+   capabilities.
 
 See main() in packet.c and init_net_state_privileged() in probe_unix.c
 for the details of this process.

configure.ac

@@ -108,6 +108,10 @@ AS_IF([test "x$with_ncurses" = "xyes"],
 ])
 AM_CONDITIONAL([WITH_NCURSES], [test "x$with_ncurses" = xyes])
 
+AC_CHECK_LIB([cap], [cap_set_proc], [],
+  AS_IF([test "$host_os" = linux-gnu],
+    AC_MSG_WARN([Capabilities support is strongly recommended for increased security.  See SECURITY for more information.])))
+
 # Enable ipinfo
 AC_ARG_WITH([ipinfo],
   [AS_HELP_STRING([--without-ipinfo], [Do not try to use ipinfo lookup at all])],

packet/command.c

@@ -278,7 +278,7 @@ void send_probe_command(
     param.command_token = command->token;
     param.protocol = IPPROTO_ICMP;
     param.ttl = 255;
-    param.packet_size = 128;
+    param.packet_size = 64;
     param.timeout = 10;
 
     for (i = 0; i < command->argument_count; i++) {

packet/command_cygwin.c

@@ -48,7 +48,7 @@ void CALLBACK finish_read_command(
         }
 
         fprintf(stderr, "ReadFileEx completion failure %d\n", status);
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 
     /*  Copy from the overlapped I/O buffer to the incoming command buffer  */
@@ -77,7 +77,7 @@ void queue_empty_apc(void)
     if (QueueUserAPC((PAPCFUNC)empty_apc, GetCurrentThread(), 0) == 0) {
         fprintf(
             stderr, "Unexpected QueueUserAPC failure %d\n", GetLastError());
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 }
 
@@ -115,7 +115,7 @@ void start_read_command(
         } else if (err != WAIT_IO_COMPLETION) {
             fprintf(
                 stderr, "Unexpected ReadFileEx failure %d\n", GetLastError());
-            exit(1);
+            exit(EXIT_FAILURE);
         }
     }
 

packet/command_unix.c

@@ -42,13 +42,13 @@ void init_command_buffer(
     flags = fcntl(command_stream, F_GETFL, 0);
     if (flags == -1) {
         perror("Unexpected command stream error");
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 
     /*  Set the O_NONBLOCK bit  */
     if (fcntl(command_stream, F_SETFL, flags | O_NONBLOCK)) {
         perror("Unexpected command stream error");
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 }
 
@@ -82,7 +82,7 @@ int read_commands(
         /*  EINTR indicates we received a signal during read  */
         if (errno != EINTR && errno != EAGAIN) {
             perror("Unexpected command buffer read error");
-            exit(1);
+            exit(EXIT_FAILURE);
         }
     }
 

packet/deconstruct_unix.c

@@ -50,7 +50,8 @@ void find_and_receive_probe(
     }
 
     receive_probe(
-        probe, icmp_type, remote_addr, timestamp, mpls_count, mpls);
+        net_state, probe, icmp_type,
+        remote_addr, timestamp, mpls_count, mpls);
 }
 
 /*
@@ -82,7 +83,8 @@ void handle_inner_udp_packet(
 
     if (probe != NULL) {
         receive_probe(
-            probe, icmp_result, remote_addr, timestamp, mpls_count, mpls);
+            net_state, probe, icmp_result,
+            remote_addr, timestamp, mpls_count, mpls);
     }
 }
 

packet/packet.c

@@ -16,23 +16,55 @@
     Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
 */
 
+#include "config.h"
+
 #include <errno.h>
 #include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
 #include <unistd.h>
 
+#ifdef HAVE_LIBCAP
+#   include <sys/capability.h>
+#endif
+
 #include "wait.h"
 
 /*  Drop SUID privileges.  To be used after accquiring raw sockets.  */
 static
-void drop_suid_permissions(void)
+int drop_elevated_permissions(void)
 {
+#ifdef HAVE_LIBCAP
+    cap_t cap;
+#endif
+
+    /*  Drop any suid permissions granted  */
     if (setgid(getgid()) || setuid(getuid())) {
-        perror("Unable to drop suid permissions");
+        return -1;
     }
 
     if (geteuid() != getuid() || getegid() != getgid()) {
-        perror("Unable to drop suid permissions");
+        return -1;
+    }
+
+    /*
+        Drop all process capabilities.
+        This will revoke anything granted by a commandline 'setcap'
+    */
+#ifdef HAVE_LIBCAP
+    cap = cap_get_proc();
+    if (cap == NULL) {
+        return -1;
+    }
+    if (cap_clear(cap)) {
+        return -1;
+    }
+    if (cap_set_proc(cap)) {
+        return -1;
     }
+#endif
+
+    return 0;
 }
 
 int main(
@@ -49,7 +81,10 @@ int main(
         raw sockets.
     */
     init_net_state_privileged(&net_state);
-    drop_suid_permissions();
+    if (drop_elevated_permissions()) {
+        perror("Unable to drop elevated permissions");
+        exit(EXIT_FAILURE);
+    }
     init_net_state(&net_state);
 
     init_command_buffer(&command_buffer, fileno(stdin));
@@ -93,7 +128,7 @@ int main(
             in-flight probes have reported their status.
         */
         if (!command_pipe_open) {
-            if (count_in_flight_probes(&net_state) == 0) {
+            if (net_state.outstanding_probe_count == 0) {
                 break;
             }
         }

packet/probe.c

@@ -115,57 +115,39 @@ struct probe_t *alloc_probe(
     struct net_state_t *net_state,
     int token)
 {
-    int i;
     struct probe_t *probe;
 
-    for (i = 0; i < MAX_PROBES; i++) {
-        probe = &net_state->probes[i];
+    if (net_state->outstanding_probe_count >= MAX_PROBES) {
+        return NULL;
+    }
 
-        if (!probe->used) {
-            memset(probe, 0, sizeof(struct probe_t));
+    probe = malloc(sizeof(struct probe_t));
+    if (probe == NULL) {
+        return NULL;
+    }
 
-            probe->used = true;
-            probe->token = token;
+    memset(probe, 0, sizeof(struct probe_t));
+    probe->token = token;
 
-            platform_alloc_probe(net_state, probe);
+    platform_alloc_probe(net_state, probe);
 
-            return probe;
-        }
-    }
+    net_state->outstanding_probe_count++;
+    LIST_INSERT_HEAD(&net_state->outstanding_probes, probe, probe_list_entry);
 
-    return NULL;
+    return probe;
 }
 
 /*  Mark a probe tracking structure as unused  */
 void free_probe(
+    struct net_state_t *net_state,
     struct probe_t *probe)
 {
-    platform_free_probe(probe);
-
-    probe->used = false;
-}
-
-/*
-    Return the number of probes which haven't yet received a reply
-    and haven't yet timed out.
-*/
-int count_in_flight_probes(
-    struct net_state_t *net_state)
-{
-    int i;
-    int count;
-    struct probe_t *probe;
+    LIST_REMOVE(probe, probe_list_entry);
+    net_state->outstanding_probe_count--;
 
-    count = 0;
-    for (i = 0; i < MAX_PROBES; i++) {
-        probe = &net_state->probes[i];
-
-        if (probe->used) {
-            count++;
-        }
-    }
+    platform_free_probe(probe);
 
-    return count;
+    free(probe);
 }
 
 /*
@@ -178,7 +160,6 @@ struct probe_t *find_probe(
     int id,
     int sequence)
 {
-    int i;
     struct probe_t *probe;
 
     /*
@@ -195,14 +176,9 @@ struct probe_t *find_probe(
         }
     }
 
-
-    for (i = 0; i < MAX_PROBES; i++) {
-        probe = &net_state->probes[i];
-
-        if (probe->used) {
-            if (htons(probe->sequence) == sequence) {
-                return probe;
-            }
+    LIST_FOREACH(probe, &net_state->outstanding_probes, probe_list_entry) {
+        if (htons(probe->sequence) == sequence) {
+            return probe;
         }
     }
 
@@ -251,6 +227,7 @@ void format_mpls_string(
     sent the probe.
 */
 void respond_to_probe(
+    struct net_state_t *net_state,
     struct probe_t *probe,
     int icmp_type,
     const struct sockaddr_storage *remote_addr,
@@ -289,7 +266,7 @@ void respond_to_probe(
             remote_addr->ss_family, addr, ip_text, IP_TEXT_LENGTH) == NULL) {
 
         perror("inet_ntop failure");
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 
     snprintf(
@@ -308,7 +285,7 @@ void respond_to_probe(
     }
 
     puts(response);
-    free_probe(probe);
+    free_probe(net_state, probe);
 }
 
 /*

packet/probe.h

@@ -25,6 +25,8 @@
 #include <stdbool.h>
 #include <sys/time.h>
 
+#include "portability/queue.h"
+
 #ifdef PLATFORM_CYGWIN
 #include "probe_cygwin.h"
 #else
@@ -82,8 +84,8 @@ struct probe_param_t
 /*  Tracking information for an outstanding probe  */
 struct probe_t
 {
-    /*  true if this entry is in use  */
-    bool used;
+    /*  Our entry in the probe list  */
+    LIST_ENTRY(probe_t) probe_list_entry;
 
     /*
         Also the ICMP sequence ID used to identify the probe.
@@ -106,13 +108,17 @@ struct probe_t
 /*  Global state for interacting with the network  */
 struct net_state_t
 {
+    /*  The number of entries in the outstanding_probes list  */
+    int outstanding_probe_count;
+
     /*  Tracking information for in-flight probes  */
-    struct probe_t probes[MAX_PROBES];
+    LIST_HEAD(probe_list_head_t, probe_t) outstanding_probes;
 
     /*  Platform specific tracking information  */
     struct net_state_platform_t platform;
 };
 
+/*  Multiprotocol Label Switching information  */
 struct mpls_label_t
 {
     uint32_t label;
@@ -146,6 +152,7 @@ void check_probe_timeouts(
     struct net_state_t *net_state);
 
 void respond_to_probe(
+    struct net_state_t *net_state,
     struct probe_t *probe,
     int icmp_type,
     const struct sockaddr_storage *remote_addr,
@@ -167,19 +174,17 @@ struct probe_t *alloc_probe(
     struct net_state_t *net_state,
     int token);
 
-void platform_alloc_probe(
+void free_probe(
     struct net_state_t *net_state,
     struct probe_t *probe);
 
-void platform_free_probe(
+void platform_alloc_probe(
+    struct net_state_t *net_state,
     struct probe_t *probe);
 
-void free_probe(
+void platform_free_probe(
     struct probe_t *probe);
 
-int count_in_flight_probes(
-    struct net_state_t *net_state);
-
 struct probe_t *find_probe(
     struct net_state_t *net_state,
     int protocol,

packet/probe_cygwin.c

@@ -38,13 +38,13 @@ void init_net_state(
     net_state->platform.icmp4 = IcmpCreateFile();
     if (net_state->platform.icmp4 == INVALID_HANDLE_VALUE) {
         fprintf(stderr, "Failure opening ICMPv4 %d\n", GetLastError());
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 
     net_state->platform.icmp6 = Icmp6CreateFile();
     if (net_state->platform.icmp6 == INVALID_HANDLE_VALUE) {
         fprintf(stderr, "Failure opening ICMPv6 %d\n", GetLastError());
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 }
 
@@ -60,11 +60,12 @@ bool is_protocol_supported(
     return false;
 }
 
-/*  No special action is required for Cygwin on probe allocation  */
+/*  Set the back pointer to the net_state when a probe is allocated  */
 void platform_alloc_probe(
     struct net_state_t *net_state,
     struct probe_t *probe)
 {
+    probe->platform.net_state = net_state;
 }
 
 /*  Free the reply buffer when the probe is freed  */
@@ -112,6 +113,7 @@ void WINAPI on_icmp_reply(
     ULONG reserved)
 {
     struct probe_t *probe = (struct probe_t *)context;
+    struct net_state_t *net_state = probe->platform.net_state;
     int icmp_type;
     int round_trip_us = 0;
     int reply_count;
@@ -163,7 +165,7 @@ void WINAPI on_icmp_reply(
         err = GetLastError();
 
         report_win_error(probe->token, err);
-        free_probe(probe);
+        free_probe(net_state, probe);
         return;
     }
 
@@ -178,7 +180,8 @@ void WINAPI on_icmp_reply(
     if (icmp_type != -1) {
         /*  Record probe result  */
         respond_to_probe(
-            probe, icmp_type, &remote_addr, round_trip_us, 0, NULL);
+            net_state, probe, icmp_type,
+            &remote_addr, round_trip_us, 0, NULL);
     } else {
         fprintf(stderr, "Unexpected ICMP result %d\n", icmp_type);
     }
@@ -227,7 +230,7 @@ void icmp_send_probe(
     probe->platform.reply4 = malloc(reply_size);
     if (probe->platform.reply4 == NULL) {
         perror("failure to allocate reply buffer");
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 
     if (param->ip_version == 6) {
@@ -258,7 +261,7 @@ void icmp_send_probe(
         */
         if (err != ERROR_IO_PENDING) {
             report_win_error(probe->token, err);
-            free_probe(probe);
+            free_probe(net_state, probe);
         }
     }
 }
@@ -324,7 +327,7 @@ void send_probe(
     payload_size = fill_payload(param, payload, PACKET_BUFFER_SIZE);
     if (payload_size < 0) {
         perror("Error construction packet");
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 
     icmp_send_probe(

packet/probe_cygwin.h

@@ -51,6 +51,12 @@ typedef struct icmpv6_echo_reply_lh
 */
 struct probe_platform_t
 {
+    /*
+        We need a backpointer to the net_state because of the way
+        IcmpSendEcho2 passes our context.
+    */
+    struct net_state_t *net_state;
+
     /*  IP version (4 or 6) used for the probe  */
     int ip_version;
 

packet/probe_unix.c

@@ -99,7 +99,7 @@ void check_length_order(
 
     if (resolve_probe_addresses(&param, &dest_sockaddr, &src_sockaddr)) {
         fprintf(stderr, "Error decoding localhost address\n");
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 
     /*  First attempt to ping the localhost with network byte order  */
@@ -111,7 +111,7 @@ void check_length_order(
         &dest_sockaddr, &src_sockaddr, &param);
     if (packet_size < 0) {
         perror("Unable to send to localhost");
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 
     bytes_sent = send_packet(
@@ -129,14 +129,14 @@ void check_length_order(
         &dest_sockaddr, &src_sockaddr, &param);
     if (packet_size < 0) {
         perror("Unable to send to localhost");
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 
     bytes_sent = send_packet(
         net_state, &param, packet, packet_size, &dest_sockaddr);
     if (bytes_sent < 0) {
         perror("Unable to send with swapped length");
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 }
 
@@ -171,12 +171,12 @@ void set_socket_nonblocking(
     flags = fcntl(socket, F_GETFL, 0);
     if (flags == -1) {
         perror("Unexpected socket F_GETFL error");
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 
     if (fcntl(socket, F_SETFL, flags | O_NONBLOCK)) {
         perror("Unexpected socket F_SETFL O_NONBLOCK error");
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 }
 
@@ -192,7 +192,7 @@ void open_ip4_sockets(
     send_socket = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
     if (send_socket == -1) {
         perror("Failure opening IPv4 send socket");
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 
     /*
@@ -203,7 +203,7 @@ void open_ip4_sockets(
         send_socket, IPPROTO_IP, IP_HDRINCL, &trueopt, sizeof(int))) {
 
         perror("Failure to set IP_HDRINCL");
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 
     /*
@@ -213,7 +213,7 @@ void open_ip4_sockets(
     recv_socket = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
     if (recv_socket == -1) {
         perror("Failure opening IPv4 receive socket");
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 
     net_state->platform.ip4_send_socket = send_socket;
@@ -232,19 +232,19 @@ void open_ip6_sockets(
     send_socket_icmp = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6);
     if (send_socket_icmp == -1) {
         perror("Failure opening ICMPv6 send socket");
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 
     send_socket_udp = socket(AF_INET6, SOCK_RAW, IPPROTO_UDP);
     if (send_socket_udp == -1) {
         perror("Failure opening UDPv6 send socket");
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 
     recv_socket = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6);
     if (recv_socket == -1) {
         perror("Failure opening IPv6 receive socket");
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 
     set_socket_nonblocking(recv_socket);
@@ -352,13 +352,13 @@ void send_probe(
 
     if (resolve_probe_addresses(param, &probe->remote_addr, &src_sockaddr)) {
         printf("%d invalid-argument\n", param->command_token);
-        free_probe(probe);
+        free_probe(net_state, probe);
         return;
     }
 
     if (gettimeofday(&probe->platform.departure_time, NULL)) {
         perror("gettimeofday failure");
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 
     packet_size = construct_packet(
@@ -375,10 +375,11 @@ void send_probe(
         */
         if (errno == ECONNREFUSED) {
             receive_probe(
-                probe, ICMP_ECHOREPLY, &probe->remote_addr, NULL, 0, NULL);
+                net_state, probe, ICMP_ECHOREPLY,
+                &probe->remote_addr, NULL, 0, NULL);
         } else {
             report_packet_error(param->command_token);
-            free_probe(probe);
+            free_probe(net_state, probe);
         }
 
         return;
@@ -390,7 +391,7 @@ void send_probe(
                 packet, packet_size, &probe->remote_addr) == -1) {
 
             report_packet_error(param->command_token);
-            free_probe(probe);
+            free_probe(net_state, probe);
             return;
         }
     }
@@ -429,6 +430,7 @@ void platform_free_probe(
     to the platform agnostic response handling.
 */
 void receive_probe(
+    struct net_state_t *net_state, 
     struct probe_t *probe,
     int icmp_type,
     const struct sockaddr_storage *remote_addr,
@@ -443,7 +445,7 @@ void receive_probe(
     if (timestamp == NULL) {
         if (gettimeofday(&now, NULL)) {
             perror("gettimeofday failure");
-            exit(1);
+            exit(EXIT_FAILURE);
         }
 
         timestamp = &now;
@@ -454,7 +456,8 @@ void receive_probe(
         timestamp->tv_usec - departure_time->tv_usec;
 
     respond_to_probe(
-        probe, icmp_type, remote_addr, round_trip_us, mpls_count, mpls);
+        net_state, probe, icmp_type,
+        remote_addr, round_trip_us, mpls_count, mpls);
 }
 
 /*
@@ -486,7 +489,7 @@ void receive_replies_from_icmp_socket(
         */
         if (gettimeofday(&timestamp, NULL)) {
             perror("gettimeofday failure");
-            exit(1);
+            exit(EXIT_FAILURE);
         }
 
         if (packet_length == -1) {
@@ -507,7 +510,7 @@ void receive_replies_from_icmp_socket(
             }
 
             perror("Failure receiving replies");
-            exit(1);
+            exit(EXIT_FAILURE);
         }
 
         handle_received_packet(
@@ -547,7 +550,7 @@ void receive_replies_from_probe_socket(
             return;
         } else {
             perror("probe socket select error");
-            exit(1);
+            exit(EXIT_FAILURE);
         }
     }
 
@@ -560,7 +563,7 @@ void receive_replies_from_probe_socket(
 
     if (getsockopt(probe_socket, SOL_SOCKET, SO_ERROR, &err, &err_length)) {
         perror("probe socket SO_ERROR");
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 
     /*
@@ -569,20 +572,21 @@ void receive_replies_from_probe_socket(
     */
     if (!err || err == ECONNREFUSED) {
         receive_probe(
-            probe, ICMP_ECHOREPLY, &probe->remote_addr, NULL, 0, NULL);
+            net_state, probe, ICMP_ECHOREPLY,
+            &probe->remote_addr, NULL, 0, NULL);
     } else {
         errno = err;
         report_packet_error(probe->token);
-        free_probe(probe);
+        free_probe(net_state, probe);
     }
 }
 
 /*  Check both the IPv4 and IPv6 sockets for incoming packets  */
 void receive_replies(
     struct net_state_t *net_state)
 {
-    int i;
     struct probe_t *probe;
+    struct probe_t *probe_safe_iter;
 
     receive_replies_from_icmp_socket(
         net_state, net_state->platform.ip4_recv_socket,
@@ -592,12 +596,11 @@ void receive_replies(
         net_state, net_state->platform.ip6_recv_socket,
         handle_received_ip6_packet);
 
-    for (i = 0; i < MAX_PROBES; i++) {
-        probe = &net_state->probes[i];
+    LIST_FOREACH_SAFE(
+            probe, &net_state->outstanding_probes,
+            probe_list_entry, probe_safe_iter) {
 
-        if (probe->used) {
-            receive_replies_from_probe_socket(net_state, probe);
-        }
+        receive_replies_from_probe_socket(net_state, probe);
     }
 }
 
@@ -609,18 +612,16 @@ int gather_probe_sockets(
     const struct net_state_t *net_state,
     fd_set *write_set)
 {
-    int i;
     int probe_socket;
     int nfds;
     const struct probe_t *probe;
 
     nfds = 0;
 
-    for (i = 0; i < MAX_PROBES; i++) {
-        probe = &net_state->probes[i];
+    LIST_FOREACH(probe, &net_state->outstanding_probes, probe_list_entry) {
         probe_socket = probe->platform.socket;
 
-        if (probe->used && probe_socket) {
+        if (probe_socket) {
             FD_SET(probe_socket, write_set);
             if (probe_socket >= nfds) {
                 nfds = probe_socket + 1;
@@ -641,26 +642,22 @@ void check_probe_timeouts(
 {
     struct timeval now;
     struct probe_t *probe;
-    int i;
+    struct probe_t *probe_safe_iter;
 
     if (gettimeofday(&now, NULL)) {
         perror("gettimeofday failure");
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 
-    for (i = 0; i < MAX_PROBES; i++) {
-        probe = &net_state->probes[i];
-
-        /*  Don't check probes which aren't currently outstanding  */
-        if (!probe->used) {
-            continue;
-        }
+    LIST_FOREACH_SAFE(
+            probe, &net_state->outstanding_probes,
+            probe_list_entry, probe_safe_iter) {
 
         if (compare_timeval(probe->platform.timeout_time, now) < 0) {
             /*  Report timeout to the command stream  */
             printf("%d no-reply\n", probe->token);
 
-            free_probe(probe);
+            free_probe(net_state, probe);
         }
     }
 }
@@ -677,24 +674,18 @@ bool get_next_probe_timeout(
     const struct net_state_t *net_state,
     struct timeval *timeout)
 {
-    int i;
     bool have_timeout;
     const struct probe_t *probe;
     struct timeval now;
     struct timeval probe_timeout;
 
     if (gettimeofday(&now, NULL)) {
         perror("gettimeofday failure");
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 
     have_timeout = false;
-    for (i = 0; i < MAX_PROBES; i++) {
-        probe = &net_state->probes[i];
-        if (!probe->used) {
-            continue;
-        }
-
+    LIST_FOREACH(probe, &net_state->outstanding_probes, probe_list_entry) {
         probe_timeout.tv_sec =
             probe->platform.timeout_time.tv_sec - now.tv_sec;
         probe_timeout.tv_usec =

packet/probe_unix.h

@@ -75,6 +75,7 @@ void set_socket_nonblocking(
     int socket);
 
 void receive_probe(
+    struct net_state_t *net_state,
     struct probe_t *probe,
     int icmp_type,
     const struct sockaddr_storage *remote_addr,

packet/wait_cygwin.c

@@ -50,6 +50,6 @@ void wait_for_activity(
 
     if (wait_result == WAIT_FAILED) {
         fprintf(stderr, "SleepEx failure %d\n", GetLastError());
-        exit(1);
+        exit(EXIT_FAILURE);
     }
 }

packet/wait_unix.c

@@ -115,7 +115,7 @@ void wait_for_activity(
         if (errno != EINTR && errno != EAGAIN) {
             /*  We don't expect other errors, so report them  */
             perror("unexpected select error");
-            exit(1);
+            exit(EXIT_FAILURE);
         }
     }
 }