falcosecurity · poiana · Dec 6, 2024 · Dec 5, 2024 · FedeDP · Dec 6, 2024
diff --git a/test/libscap/test_suites/userspace/event_table.cpp b/test/libscap/test_suites/userspace/event_table.cpp
@@ -167,3 +167,26 @@ TEST(event_table, check_usage_of_EC_UNKNOWN_flag) {
 		}
 	}
 }
+
+TEST(event_table, check_exit_param_names) {
+	// We should use only res/fd but we have all these other variants
+	std::set<std::string> valid_names = {"res", "fd", "uid", "gid", "res_or_fd", "euid", "egid"};
+	for(int evt = 0; evt < PPM_EVENT_MAX; evt++) {
+		auto evt_info = scap_get_event_info_table()[evt];
+
+		// Generic is an exit event but it does not have the return code.
+		if(evt == PPME_GENERIC_X) {
+			continue;
+		}
+
+		if((evt_info.category & EC_SYSCALL) && PPME_IS_EXIT(evt) && evt_info.nparams > 0) {
+			const char* name = evt_info.params[0].name;
+			if(valid_names.find(name) != valid_names.end()) {
+				continue;
+			} else {
+				FAIL() << "Evt: '" << evt_info.name
+				       << "' has a first param name not allowed: " << name;
+			}
+		}
+	}
+}
diff --git a/userspace/libsinsp/event.h b/userspace/libsinsp/event.h
@@ -722,9 +722,17 @@ class SINSP_PUBLIC sinsp_evt {
 	inline bool is_syscall_event() const { return get_info()->category & EC_SYSCALL; }
 
 	inline bool has_return_value() {
-		// The event has a return value:
-		// * if it is a syscall event and it is an exit event.
-		if(is_syscall_event() && PPME_IS_EXIT(get_type())) {
+		// This event does not have a return value
+		if(get_type() == PPME_GENERIC_X) {
+			return false;
+		}
+
+		// The event has a return value if:
+		// * it is a syscall event.
+		// * it is an exit event.
+		// * it has at least one parameter. Some exit events are not instrumented, see
+		// `PPME_SOCKET_GETSOCKNAME_X`
+		if(is_syscall_event() && PPME_IS_EXIT(get_type()) && get_num_params() > 0) {
 			return true;
 		}
 

diff --git a/userspace/libsinsp/parsers.cpp b/userspace/libsinsp/parsers.cpp
@@ -632,19 +632,11 @@ bool sinsp_parser::reset(sinsp_evt *evt) {
 		//
 		// Error detection logic
 		//
-		if(evt->get_num_params() != 0 && ((evt->get_info()->params[0].name[0] == 'r' &&
-		                                   evt->get_info()->params[0].name[1] == 'e' &&
-		                                   evt->get_info()->params[0].name[2] == 's' &&
-		                                   evt->get_info()->params[0].name[3] == '\0') ||
-		                                  (evt->get_info()->params[0].name[0] == 'f' &&
-		                                   evt->get_info()->params[0].name[1] == 'd' &&
-		                                   evt->get_info()->params[0].name[2] == '\0'))) {
-			if(evt->has_return_value()) {
-				int64_t res = evt->get_syscall_return_value();
-
-				if(res < 0) {
-					evt->set_errorcode(-(int32_t)res);
-				}
+		if(evt->has_return_value()) {
+			int64_t res = evt->get_syscall_return_value();
+
+			if(res < 0) {
+				evt->set_errorcode(-(int32_t)res);
 			}
 		}