| blob | 1c82940f0f2941b77cdcbd18d87ce87dcea5b3bf |
1 /* UNIX Domain Sockets - io.c - sending and receiving */
4 #include <sys/mman.h>
6 /*
7 * Our UDS sockets do not have a send buffer. They only have a receive buffer.
8 * This receive buffer, when not empty, is split up in segments. Each segment
9 * may contain regular data, ancillary data, both, or (for SOCK_SEQPACKET and
10 * (SOCK_DGRAM) neither. There are two types of ancillary data: in-flight file
11 * descriptors and sender credentials. In addition, for SOCK_DGRAM sockets,
12 * the segment may contain the sender's socket path (if the sender's socket is
13 * bound). Each segment has a header, containing the full segment size, the
14 * size of the actual data in the segment (if any), and a flags field that
15 * states which ancillary are associated with the segment (if any). For
16 * SOCK_STREAM type sockets, new data may be merged into a previous segment,
17 * but only if it has no ancillary data. For the other two socket types, each
18 * packet has its own header. The resulting behavior should be in line with
19 * the POSIX "Socket Receive Queue" specification.
20 *
21 * More specifically, each segment consists of the following parts:
22 * - always a five-byte header, containing a two-byte segment length (including
23 * the header, so always non-zero), a two-byte regular data length (zero or
24 * more), and a one-byte flags field which is a bitwise combination of
25 * UDS_HAS_{FD,CRED,PATH} flags;
26 * - next, if UDS_HAS_CRED is set in the segment header: a sockcred structure;
27 * since this structure is variable-size, the structure is prepended by a
28 * single byte that contains the length of the structure (excluding the byte
29 * itself, thus ranging from sizeof(struct sockcred) to UDS_MAXCREDLEN);
30 * - next, if UDS_HAS_PATH is set in the segment header:
31 * - next, if the data length is non-zero, the actual regular data.
32 * If the segment is not the last in the receive buffer, it is followed by the
33 * next segment immediately afterward. There is no alignment.
34 *
35 * It is the sender's responsibility to merge new data into the last segment
36 * whenever possible, so that the receiver side never needs to consider more
37 * than one segment at once. In order to allow such merging, each receive
38 * buffer has not only a tail and in-use length (pointing to the head when
39 * combined) but also an offset from the tail to the last header, if any. Note
40 * that the receiver may over time still look at multiple segments for a single
41 * request: this happens when a MSG_WAITALL request empties the buffer and then
42 * blocks - the next piece of arriving data can then obviously not be merged.
43 *
44 * If a segment has the UDS_HAS_FD flag set, then one or more in-flight file
45 * descriptors are associated with the segment. These are stored in a separate
46 * data structure, mainly to simplify cleaning up when the socket is shut down
47 * for reading or closed. That structure also contains the number of file
48 * descriptors associated with the current segment, so this is not stored in
49 * the segment itself. As mentioned later, this may be changed in the future.
50 *
51 * On the sender side, there is a trade-off between fully utilizing the receive
52 * buffer, and not repeatedly performing expensive actions for the same call:
53 * it may be costly to determine exactly how many in-flight file descriptors
54 * there will be (if any) and/or how much space is needed to store credentials.
55 * We currently use the policy that we rather block/reject a send request that
56 * may (just) have fit in the remaining part of the receive buffer, than obtain
57 * the same information multiple times or keep state between callbacks. In
58 * practice this is not expected to make a difference, especially since
59 * transfer of ancillary data should be rare anyway.
60 */
61 /*
62 * The current layout of the segment header is as follows.
63 *
64 * The first byte contains the upper eight bits of the total segment length.
65 * The second byte contains the lower eight bits of the total segment length.
66 * The third byte contains the upper eight bits of the data length.
67 * The fourth byte contains the lower eight bits of the data length.
68 * The fifth byte is a bitmask for ancillary data associated with the segment.
69 */
70 #define UDS_HDRLEN 5
76 #define UDS_MAXCREDLEN SOCKCREDSIZE(NGROUPS_MAX)
78 #define uds_get_head(uds) \
79 ((size_t)((uds)->uds_tail + (uds)->uds_len) % UDS_BUF)
80 #define uds_get_last(uds) \
81 ((size_t)((uds)->uds_tail + (uds)->uds_last) % UDS_BUF)
82 #define uds_advance(pos,add) (((pos) + (add)) % UDS_BUF)
84 /*
85 * All in-flight file descriptors are (co-)owned by the UDS driver itself, as
86 * local open file descriptors. Like any other process, the UDS driver can not
87 * have more than OPEN_MAX open file descriptors at any time. Thus, this is
88 * also the inherent maximum number of in-flight file descriptors. Therefore,
89 * we maintain a single pool of in-flight FD structures, and we associate these
90 * structures with sockets as needed.
91 */
98 /*
99 * Initialize the input/output part of the UDS service.
100 */
101 void
103 {
110 }
112 /*
113 * Set up all input/output state for the given socket, which has just been
114 * allocated. As part of this, allocate memory for the receive buffer of the
115 * socket. Return OK or a negative error code.
116 */
117 int
119 {
121 /* TODO: decide if we should preallocate the memory. */
133 }
135 /*
136 * Clean up the input/output state for the given socket, which is about to be
137 * freed. As part of this, deallocate memory for the receive buffer and close
138 * any file descriptors still in flight on the socket.
139 */
140 void
142 {
144 /* Close any in-flight file descriptors. */
147 /* Free the receive buffer memory. */
150 }
152 /*
153 * The socket is being closed or shut down for reading. If there are still any
154 * in-flight file descriptors, theey will never be received anymore, so close
155 * them now.
156 */
157 void
159 {
162 /*
163 * The UDS service may have the last and only reference to any of these
164 * file descriptors here. For that reason, we currently disallow
165 * transfer of UDS file descriptors, because the close(2) here could
166 * block on a socket close operation back to us, leading to a deadlock.
167 * Also, we use a non-blocking variant of close(2), to prevent that we
168 * end up hanging on sockets with SO_LINGER turned on.
169 */
174 }
178 /*
179 * If this reset happens as part of a shutdown, it might be done
180 * again on close, so ensure that it will find a clean state. The
181 * receive buffer should never be looked at again either way, but reset
182 * it too just to be sure.
183 */
189 }
191 /*
192 * Return the maximum usable part of the receive buffer, in bytes. The return
193 * value is used for the SO_SNDBUF and SO_RCVBUF socket options.
194 */
195 size_t
197 {
199 /*
200 * TODO: it would be nicer if at least for SOCK_STREAM-type sockets, we
201 * could use the full receive buffer for data. This would require that
202 * we store up to one header in the socket object rather than in the
203 * receive buffer.
204 */
206 }
208 /*
209 * Fetch 'len' bytes starting from absolute position 'pos' into the receive
210 * buffer of socket 'uds', and copy them into the buffer pointed to by 'ptr'.
211 * Return the absolute position of the first byte after the fetched data in the
212 * receive buffer.
213 */
214 static size_t
216 {
233 }
234 }
236 /*
237 * Store 'len' bytes from the buffer pointed to by 'ptr' into the receive
238 * buffer of socket 'uds', starting at absolute position 'pos' into the receive
239 * buffer. Return the absolute position of the first byte after the stored
240 * data in the receive buffer.
241 */
242 static size_t
244 {
255 len);
262 }
263 }
265 /*
266 * Fetch a segment header previously stored in the receive buffer of socket
267 * 'uds' at absolute position 'off'. Return the absolute position of the first
268 * byte after the header, as well as the entire segment length in 'seglen', the
269 * length of the data in the segment in 'datalen', and the segment flags in
270 * 'segflags'.
271 */
272 static size_t
275 {
291 }
293 /*
294 * Store a segment header in the receive buffer of socket 'uds' at absolute
295 * position 'off', with the segment length 'seglen', the segment data length
296 * 'datalen', and the segment flags 'segflags'. Return the absolute receive
297 * buffer position of the first data byte after the stored header.
298 */
299 static size_t
302 {
317 }
319 /*
320 * Perform initial checks on a send request, before it may potentially be
321 * suspended. Return OK if this send request is valid, or a negative error
322 * code if it is not.
323 */
324 int
328 {
332 /*
333 * Reject calls with unknown flags. Besides the flags handled entirely
334 * by libsockevent (which are not part of 'flags' here), that is all of
335 * them. TODO: ensure that we should really reject all other flags
336 * rather than ignore them.
337 */
341 /*
342 * Perform very basic address and message size checks on the send call.
343 * For non-stream sockets, we must reject packets that may never fit in
344 * the receive buffer, or otherwise (at least for SOCK_SEQPACKET) the
345 * send call may end up being suspended indefinitely. Therefore, we
346 * assume the worst-case scenario, which is that a full set of
347 * credentials must be associated with the packet. As a result, we may
348 * reject some large packets that could actually just fit. Checking
349 * the peer's LOCAL_CREDS setting here is not safe: even if we know the
350 * peer already at all (for SOCK_DGRAM we do not), the send may still
351 * block and the option toggled before it unblocks.
352 */
355 /* Nothing to check for this case. */
368 /*
369 * The path is stored without null terminator, but with leading
370 * byte containing the path length--if there is a path at all.
371 */
374 pathlen++;
383 }
386 }
388 /*
389 * Determine whether the (real or pretend) send request should be processed
390 * now, suspended until later, or rejected based on the current socket state.
391 * Return OK if the send request should be processed now. Return SUSPEND if
392 * the send request should be retried later. Return an appropriate negative
393 * error code if the send request should fail.
394 */
395 static int
398 {
417 /*
418 * For connection-type sockets, we now have to check if there
419 * is enough room in the receive buffer. For SOCK_STREAM
420 * sockets, we must check if at least 'min' bytes can be moved
421 * into the receive buffer, at least if that is a reasonable
422 * value for ever making any forward progress at all. For
423 * SOCK_SEQPACKET sockets, we must check if the entire packet
424 * of size 'len' can be stored in the receive buffer. In both
425 * cases, we must take into account any metadata to store along
426 * with the data.
427 *
428 * Unlike in uds_pre_send(), we can now check safely whether
429 * the peer is expecting credentials, but we still don't know
430 * the actual size of the credentials, so again we take the
431 * maximum possible size. The same applies to file descriptors
432 * transferred via control data: all we have the control length
433 * right now, which if non-zero we assume to mean there might
434 * be file descriptors.
435 *
436 * In both cases, the reason of overestimating is that actually
437 * getting accurate sizes, by obtaining credentials or copying
438 * in control data, is very costly. We want to do that only
439 * when we are sure we will not suspend the send call after
440 * all. It is no problem to overestimate how much space will
441 * be needed here, but not to underestimate: that could cause
442 * applications that use select(2) and non-blocking sockets to
443 * end up in a busy-wait loop.
444 */
447 else
453 /*
454 * Limit the low threshold to the maximum that can ever
455 * be sent at once.
456 */
460 /*
461 * Suspend the call only if not even the low threshold
462 * is met. Otherwise we may make (partial) progress.
463 */
467 /*
468 * If the receive buffer already has at least one
469 * segment, and there are certainly no file descriptors
470 * to transfer now, and we do not have to store
471 * credentials either, then this segment can be merged
472 * with the previous one. In that case, we need no
473 * space for a header. That is certainly the case if
474 * we are resuming an already partially completed send.
475 */
483 }
486 }
488 /*
489 * Get the destination peer for a send request. The send test has already been
490 * performed first. On success, return OK, with a pointer to the peer socket
491 * stored in 'peerp'. On failure, return an appropriate error code.
492 */
493 static int
496 {
502 /* This was already checked in uds_pre_check(). */
505 /*
506 * Find the socket identified by the given address.
507 * If it exists at all, see if it is a proper match.
508 */
513 /*
514 * If the peer socket is connected to a target, it
515 * must be this socket. Unfortunately, POSIX does not
516 * specify an error code for this. We borrow Linux's.
517 */
523 /*
524 * If the receiving end will never receive this packet, we
525 * might as well not send it, so drop it immeiately. Indicate
526 * as such to the caller, using NetBSD's chosen error code.
527 */
534 }
538 }
540 /*
541 * Generate a new segment for the current send request, or arrange things such
542 * that new data can be merged with a previous segment. As part of this,
543 * decide whether we can merge data at all. The segment will be merged if, and
544 * only if, all of the following requirements are met:
545 *
546 * 1) the socket is of type SOCK_STREAM;
547 * 2) there is a previous segment in the receive buffer;
548 * 3) there is no ancillary data for the current send request.
549 *
550 * Also copy in regular data (if any), retrieve the sender's credentials (if
551 * needed), and copy over the source path (if applicable). However, do not yet
552 * commit the segment (or the new part to be merged), because the send request
553 * may still fail for other reasons.
554 *
555 * On success, return the length of the new segment (or, when merging, the
556 * length to be added to the last segment), as well as a flag indicating
557 * whether we are merging into the last segment in 'mergep', the length of the
558 * (new) data in the segment in 'datalenp', and the new segment's flags in
559 * 'segflagsp' (always zero when merging). Note that a return value of zero
560 * implies that we are merging zero extra bytes into the last segment, which
561 * means that effectively nothing changes; in that case the send call will be
562 * cut short and return zero to the caller as well. On failure, return a
563 * negative error code.
564 */
565 static int
570 {
580 /*
581 * At this point we should add the data to the peer's receive buffer.
582 * In the case of SOCK_STREAM sockets, we should add as much of the
583 * data as possible and suspend the call to send the rest later, if
584 * applicable. In the case of SOCK_DGRAM sockets, we should drop the
585 * packet if it does not fit in the buffer.
586 *
587 * Due to the checks in uds_can_send(), we know for sure that we no
588 * longer have to suspend without making any progress at this point.
589 */
592 /*
593 * Obtain the credentials now. Doing so allows us to determine how
594 * much space we actually need for them.
595 */
603 /*
604 * getsockcred(3) returns the total number of groups for the
605 * process, which may exceed the size of the given array. Our
606 * groups array should always be large enough for all groups,
607 * but we check to be sure anyway.
608 */
617 /* For bound source datagram sockets, include the source path. */
628 /*
629 * Determine whether we can merge data into the previous
630 * segment. This is a more refined version of the test in
631 * uds_can_send(), as we now know whether there are actually
632 * any FDs to transfer.
633 */
636 /* Determine how much we can send at once. */
646 /* If we cannot make progress, we should have suspended.. */
652 }
656 /*
657 * Compute the total amount of space we need for the segment in the
658 * receive buffer. Given that we have done will-it-fit tests in
659 * uds_can_send() for SOCK_STREAM and SOCK_SEQPACKET, there is only one
660 * case left where the result may not fit, and that is for SOCK_DGRAM
661 * packets. In that case, we drop the packet. POSIX says we should
662 * throw an error in that case, and that is also what NetBSD does.
663 */
666 else
672 /* Drop the packet, borrowing NetBSD's chosen error code. */
674 }
676 /*
677 * Generate the full segment, but do not yet update the buffer head.
678 * We may still run into an error (copying in file descriptors) or even
679 * decide that nothing gets sent after all (if there are no data or
680 * file descriptors). If we are merging the new data into the previous
681 * segment, do not generate a header.
682 */
685 /* Generate the header, if needed. */
688 else
691 /* Copy in and store the sender's credentials, if desired. */
707 }
709 /* Store the sender's address if any. Datagram sockets only. */
717 }
719 /* Lastly, copy in the actual data (if any) from the caller. */
733 }
737 }
743 }
745 /*
746 * Copy in control data for the current send request, and extract any file
747 * descriptors to be transferred. Do not yet duplicate the file descriptors,
748 * but rather store a list in a temporary buffer: the send request may still
749 * fail in which case we want to avoid having to undo the duplication.
750 *
751 * On success, return the number of (zero or more) file descriptors extracted
752 * from the request and stored in the temporary buffer. On failure, return a
753 * negative error code.
754 */
755 static int
757 endpoint_t user_endpt)
758 {
761 socklen_t left;
765 /*
766 * Copy in the control data. We can spend a lot of effort copying in
767 * the data in small chunks, and change the receiving side to do the
768 * same, but it is really not worth it: applications never send a whole
769 * lot of file descriptors at once, and the buffer size is currently
770 * such that the UDS service itself will exhaust its OPEN_MAX limit
771 * anyway if they do.
772 */
782 /*
783 * Look for any file descriptors, and store their remote file
784 * descriptor numbers into a temporary array.
785 */
793 /*
794 * The sender may provide file descriptors in multiple chunks.
795 * Currently we do not preserve these chunk boundaries, instead
796 * generating one single chunk with all file descriptors for the
797 * segment upon receipt. If needed, we can fairly easily adapt this
798 * later.
799 */
802 /*
803 * Check for bogus lengths. There is no excuse for this;
804 * either the caller does not know what they are doing or we
805 * are looking at a hacking attempt.
806 */
813 user_endpt);
816 }
825 /*
826 * Copy the file descriptor to the temporary buffer,
827 * whose size is based on the control data buffer, so
828 * it is always large enough to contain all FDs.
829 */
835 nfds++;
836 }
837 }
840 }
842 /*
843 * Actually duplicate any file descriptors that we extracted from the sender's
844 * control data and stored in our temporary buffer. On success, return OK,
845 * with all file descriptors stored in file descriptor objects that are
846 * appended to the socket's list of in-flight FD objects. Thus, on success,
847 * the send request may no longer fail. On failure, return a negative error
848 * code, with any partial duplication undone.
849 */
850 static int
852 {
862 /* UDS itself may already have OPEN_MAX FDs. */
865 }
867 /*
868 * The caller may have given an invalid FD, or UDS itself may
869 * unexpectedly have run out of available file descriptors etc.
870 */
883 }
885 /* Did we experience an error while copying in the file descriptors? */
887 /* Revert the successful copyfd() calls made so far. */
892 }
897 }
899 /*
900 * Success. If there were any file descriptors at all, add them to the
901 * peer's list of in-flight file descriptors. Assign the number of
902 * file descriptors copied in to the first file descriptor object, so
903 * that we know how many to copy out (or discard) for this segment.
904 * Also set the UDS_HAS_FDS flag on the segment.
905 */
912 }
914 /*
915 * The current send request is successful or at least has made progress.
916 * Commit the new segment or, if we decided to merge the new data into the last
917 * segment, update the header of the last segment. Also wake up the receiving
918 * side, because there will now be new data to receive.
919 */
920 static void
923 {
926 /*
927 * For non-datagram sockets, credentials are sent only once after
928 * setting the LOCAL_CREDS option. After that, the option is unset.
929 */
954 }
956 /* Now that there are new data, wake up the receiver side. */
958 }
960 /*
961 * Process a send request. Return OK if the send request has successfully
962 * completed, SUSPEND if it should be tried again later, or a negative error
963 * code on failure. In all cases, the values of 'off' and 'ctl_off' must be
964 * updated if any progress has been made; if either is non-zero, libsockevent
965 * will return the partial progress rather than an error code.
966 */
967 int
972 {
985 /*
986 * First see whether we can process this send call at all right now.
987 * Most importantly, for connected sockets, if the peer's receive
988 * buffer is full, we may have to suspend the call until some space has
989 * been freed up.
990 */
994 /*
995 * Then get the peer socket. For connected sockets, this is trivial.
996 * For unconnected sockets, it may involve a lookup of the given
997 * address.
998 */
1002 /*
1003 * We now know for sure that we will not suspend this call without
1004 * making any progress. However, the call may still fail. Copy in
1005 * control data first now, so that we know whether there are any file
1006 * descriptors to transfer. This aspect may determine whether or not
1007 * we can merge data with a previous segment. Do not actually copy in
1008 * the actual file descriptors yet, because that is much harder to undo
1009 * in case of a failure later on.
1010 */
1012 /* We process control data once, in full. */
1021 /*
1022 * Now generate a new segment, or (if possible) merge new data into the
1023 * last segment. Since the call may still fail, prepare the segment
1024 * but do not update the buffer head yet. Note that the segment
1025 * contains not just regular data (in fact it may contain no data at
1026 * all) but (also) certain ancillary data.
1027 */
1033 /*
1034 * If we extracted any file descriptors from the control data earlier,
1035 * copy them over to ourselves now. The resulting in-flight file
1036 * descriptors are stored in a separate data structure. This is the
1037 * last point where the send call may actually fail.
1038 */
1042 }
1044 /*
1045 * The transmission is now known to be (partially) successful. Commit
1046 * the new work by moving the receive buffer head.
1047 */
1050 /*
1051 * Register the result. For stream-type sockets, the expected behavior
1052 * is that all data be sent, and so we may still have to suspend the
1053 * call after partial progress. Otherwise, we are now done. Either
1054 * way, we are done with the control data, so mark it as consumed.
1055 */
1060 else
1062 }
1064 /*
1065 * Test whether a send request would block. The given 'min' parameter contains
1066 * the minimum number of bytes that should be possible to send without blocking
1067 * (the low send watermark). Return SUSPEND if the send request would block,
1068 * or any other error code if it would not.
1069 */
1070 int
1072 {
1076 }
1078 /*
1079 * Perform initial checks on a receive request, before it may potentially be
1080 * suspended. Return OK if this receive request is valid, or a negative error
1081 * code if it is not.
1082 */
1083 int
1086 {
1088 /*
1089 * Reject calls with unknown flags. TODO: ensure that we should really
1090 * reject all other flags rather than ignore them.
1091 */
1096 }
1098 /*
1099 * Determine whether the (real or pretend) receive request should be processed
1100 * now, suspended until later, or rejected based on the current socket state.
1101 * Return OK if the receive request should be processed now, along with a first
1102 * indication whether the call may still be suspended later in 'may_block'.
1103 * Return SUSPEND if the receive request should be retried later. Return an
1104 * appropriate negative error code if the receive request should fail.
1105 */
1106 static int
1109 {
1114 /*
1115 * If there are any pending data, those should always be received
1116 * first. However, if there is nothing to receive, then whether we
1117 * should suspend the receive call or fail immediately depends on other
1118 * conditions. We first look at these other conditions.
1119 */
1130 }
1133 /*
1134 * For stream-type sockets, we use the policy: if no regular
1135 * data is requested, then end the call without receiving
1136 * anything. For packet-type sockets, the request should block
1137 * until there is a packet to discard, though.
1138 */
1143 }
1145 /*
1146 * For stream-type sockets, we should still suspend the call if fewer
1147 * than 'min' bytes are available right now, and there is a possibility
1148 * that more data may arrive later. More may arrive later iff 'r' is
1149 * OK (i.e., no EOF or error will follow) and, in case we already
1150 * received some partial results, there is not already a next segment
1151 * with ancillary data (i.e, nonzero segment flags), or in any case
1152 * there isn't more than one segment in the buffer. Limit 'min' to the
1153 * maximum that can ever be received, though. Since that is difficult
1154 * in our case, we check whether the buffer is entirely full instead.
1155 */
1166 }
1168 /*
1169 * Also start the decision process as to whether we should suspend the
1170 * current call if MSG_WAITALL is given. Unfortunately there is no one
1171 * place where we can conveniently do all the required checks.
1172 */
1176 }
1178 /*
1179 * Receive regular data, and possibly the source path, from the tail segment in
1180 * the receive buffer. On success, return the positive non-zero length of the
1181 * tail segment, with 'addr' and 'addr_len' modified to store the source
1182 * address if applicable, the result flags in 'rflags' updated as appropriate,
1183 * the tail segment's data length stored in 'datalen', the number of received
1184 * regular data bytes stored in 'reslen', the segment flags stored in
1185 * 'segflags', and the absolute receive buffer position of the credentials in
1186 * the segment stored in 'credpos' if applicable. Since the receive call may
1187 * still fail, this function must not yet update the tail or any other aspect
1188 * of the receive buffer. Return zero if the current receive call was already
1189 * partially successful (due to MSG_WAITALL) and can no longer make progress,
1190 * and thus should be ended. Return a negative error code on failure.
1191 */
1192 static int
1198 {
1207 /*
1208 * If a partially completed receive now runs into a segment that cannot
1209 * be logically merged with the previous one (because it has at least
1210 * one segment flag set, meaning it has ancillary data), then we must
1211 * shortcut the receive now.
1212 */
1216 /*
1217 * As stated, for stream-type sockets, we choose to ignore zero-size
1218 * receive calls. This has the consequence that reading a zero-sized
1219 * segment (with ancillary data) requires a receive request for at
1220 * least one regular data byte. Such a receive call would then return
1221 * zero. The problem with handling zero-data receive requests is that
1222 * we need to know whether the current segment is terminated (i.e., no
1223 * more data can possibly be merged into it later), which is a test
1224 * that we rather not perform, not in the least because we do not know
1225 * whether there is an error pending on the socket.
1226 *
1227 * For datagrams, we currently allow a zero-size receive call to
1228 * discard the next datagram.
1229 *
1230 * TODO: compare this against policies on other platforms.
1231 */
1235 /*
1236 * We have to skip the credentials for now: these are copied out as
1237 * control data, and thus will (well, may) be looked at when dealing
1238 * with the control data. For the same reason, we do not even look at
1239 * UDS_HAS_FDS here.
1240 */
1246 }
1248 /*
1249 * Copy out the source address, but only if the (datagram) socket is
1250 * not connected. TODO: even when it is connected, it may still
1251 * receive packets sent to it from other sockets *before* being
1252 * connected, and the receiver has no way of knowing that those packets
1253 * did not come from its new peer. Ideally, the older packets should
1254 * be dropped..
1255 */
1264 }
1266 /*
1267 * We can receive no more data than those that are present in the
1268 * segment, obviously. For stream-type sockets, any more data that
1269 * could have been received along with the current data would have been
1270 * merged in the current segment, so we need not search for any next
1271 * segments.
1272 *
1273 * For non-stream sockets, the caller may receive less than a whole
1274 * packet if it supplied a small buffer. In that case, the rest of the
1275 * packet will be discarded (but not here yet!) and the caller gets
1276 * the MSG_TRUNC flag in its result, if it was using sendmsg(2) anyway.
1277 */
1283 /* Copy out the data to the caller. */
1296 }
1300 }
1305 }
1307 /*
1308 * The current segment has associated file descriptors. If possible, copy out
1309 * all file descriptors to the receiver, and generate and copy out a chunk of
1310 * control data that contains their file descriptor numbers. If not all
1311 * file descriptors fit in the receiver's buffer, or if any error occurs, no
1312 * file descriptors are copied out.
1313 */
1314 static int
1317 {
1325 /* See how many file descriptors should be part of this chunk. */
1331 /*
1332 * We produce and copy out potentially unaligned chunks, using
1333 * CMSG_LEN, but return the aligned size at the end, using CMSG_SPACE.
1334 * This may leave "gap" bytes unchanged in userland, but that should
1335 * not be a problem. By producing unaligned chunks, we eliminate a
1336 * potential boundary case where the unaligned chunk passed in (by the
1337 * sender) no longer fits in the same buffer after being aligned here.
1338 */
1357 /*
1358 * Copy the group's local file descriptors to the target endpoint, and
1359 * store the resulting remote file descriptors in the chunk buffer.
1360 */
1371 /* Failure may happen legitimately here (e.g., EMFILE). */
1382 }
1384 /* If everything went well so far, copy out the produced chunk. */
1388 /*
1389 * Handle errors. At this point, the 'i' variable contains the number
1390 * of file descriptors that have already been successfully copied out.
1391 */
1393 /* Revert the successful copyfd() calls made so far. */
1398 }
1401 }
1403 /*
1404 * Success. Return the aligned size of the produced chunk, if the
1405 * given length permits it. From here on, the receive call may no
1406 * longer fail, as that would result in lost file descriptors.
1407 */
1409 }
1411 /*
1412 * Generate and copy out a chunk of control data with the sender's credentials.
1413 * Return the aligned chunk size on success, or a negative error code on
1414 * failure.
1415 */
1416 static int
1419 {
1427 /*
1428 * Since the sender side already did the hard work of producing the
1429 * (variable-size) sockcred structure as it should be received, there
1430 * is relatively little work to be done here.
1431 */
1459 }
1461 /*
1462 * Copy out control data for the ancillary data associated with the current
1463 * segment, if any. Return OK on success, at which point the current receive
1464 * call may no longer fail. 'rflags' may be updated with additional result
1465 * flags. Return a negative error code on failure.
1466 */
1467 static int
1471 {
1474 /*
1475 * We first copy out all file descriptors, if any. We put them in one
1476 * SCM_RIGHTS chunk, even if the sender put them in separate SCM_RIGHTS
1477 * chunks. We believe that this should not cause application-level
1478 * issues, but if it does, we can change that later with some effort.
1479 * We then copy out credentials, if any.
1480 *
1481 * We copy out each control chunk independently of the others, and also
1482 * perform error recovery on a per-chunk basis. This implies the
1483 * following. If producing or copying out the first chunk fails, the
1484 * entire recvmsg(2) call will fail with an appropriate error. If
1485 * producing or copying out any subsequent chunk fails, the recvmsg(2)
1486 * call will still return the previously generated chunks (a "short
1487 * control read" if you will) as well as the MSG_CTRUNC flag. This
1488 * approach is simple and clean, and it guarantees that we can always
1489 * copy out at least as many file descriptors as we copied in for this
1490 * segment, even if credentials are present as well. However, the
1491 * approach does cause slightly more overhead when there are multiple
1492 * chunks per call, as those are copied out separately.
1493 *
1494 * Since the generated SCM_RIGHTS chunk is never larger than the
1495 * originally received SCM_RIGHTS chunk, the temporary "uds_ctlbuf"
1496 * buffer is always large enough to contain the chunk in its entirety.
1497 * SCM_CREDS chunks should always fit easily as well.
1498 *
1499 * The MSG_CTRUNC flag will be returned iff not the entire user-given
1500 * control buffer was filled and not all control chunks were delivered.
1501 * Our current implementation does not deliver partial chunks. NetBSD
1502 * does, except for SCM_RIGHTS chunks.
1503 *
1504 * TODO: get rid of the redundancy in processing return values.
1505 */
1508 flags);
1510 /*
1511 * At this point, 'r' contains one of the following:
1512 *
1513 * r > 0 a chunk of 'r' bytes was added successfully.
1514 * r == 0 not enough space left; the chunk was not added.
1515 * r < 0 an error occurred; the chunk was not added.
1516 */
1525 }
1530 /* As above. */
1539 }
1542 }
1544 /*
1545 * The current receive request is successful or, in the case of MSG_WAITALL,
1546 * has made progress. Advance the receive buffer tail, either by discarding
1547 * the entire tail segment or by generating a new, smaller tail segment that
1548 * contains only the regular data left to be received from the original tail
1549 * segment. Also wake up the sending side for connection-oriented sockets if
1550 * applicable, because there may now be room for more data to be sent. Update
1551 * 'may_block' if we are now sure that the call may not block on MSG_WAITALL
1552 * after all.
1553 */
1554 static void
1557 {
1563 /* Note that 'reslen' may be legitimately zero. */
1572 /*
1573 * Fully consume the tail segment. We advance the tail by the
1574 * full segment length, thus moving up to either the next
1575 * segment in the receive buffer, or an empty receive buffer.
1576 */
1581 /*
1582 * Partially consume the tail segment. We put a new segment
1583 * header right in front of the remaining data, which obviously
1584 * always fits. Since any ancillary data was consumed along
1585 * with the first data byte of the segment, the new segment has
1586 * no ancillary data anymore (and thus a zero flags field).
1587 */
1596 }
1598 /*
1599 * For datagram-oriented sockets, we always consume at least a header.
1600 * For stream-type sockets, we either consume a zero-data segment along
1601 * with its ancillary data, or we consume at least one byte from a
1602 * segment that does have regular data. In all other cases, the
1603 * receive call has already been ended by now. Thus, we always advance
1604 * the tail of the receive buffer here.
1605 */
1608 /*
1609 * The receive buffer's used length (uds_len) and pointer to the
1610 * previous segment header (uds_last) are offsets from the tail. Now
1611 * that we have moved the tail, we need to adjust these accordingly.
1612 * If the buffer is now empty, reset the tail to the buffer start so as
1613 * to avoid splitting inter-process copies whenever possible.
1614 */
1621 /*
1622 * If uds_last is zero here, it was pointing to the segment we just
1623 * (partially) consumed. By leaving it zero, it will still point to
1624 * the new or next segment.
1625 */
1630 }
1632 /*
1633 * If there were any file descriptors associated with this segment,
1634 * close and free them now.
1635 */
1652 }
1653 }
1655 /*
1656 * If there is now any data left in the receive buffer, then there has
1657 * been a reason that we haven't received it. For stream sockets, that
1658 * reason is that the next segment has ancillary data. In any case,
1659 * this means we should never block the current receive operation
1660 * waiting for more data. Otherwise, we may block on MSG_WAITALL.
1661 */
1665 /*
1666 * If the (non-datagram) socket has a peer that is not shut down for
1667 * writing, see if it can be woken up to send more data. Note that
1668 * the event will never be processed immediately.
1669 */
1677 }
1678 }
1680 /*
1681 * Process a receive request. Return OK if the receive request has completed
1682 * successfully, SUSPEND if it should be tried again later, SOCKEVENT_EOF if an
1683 * end-of-file condition is reached, or a negative error code on failure. In
1684 * all cases, the values of 'off' and 'ctl_off' must be updated if any progress
1685 * has been made; if either is non-zero, libsockevent will return the partial
1686 * progress rather than an error code or EOF.
1687 */
1688 int
1693 {
1703 /*
1704 * Start by testing whether anything can be received at all, or whether
1705 * an error or EOF should be returned instead, or whether the receive
1706 * call should be suspended until later otherwise. If no (regular or
1707 * control) data can be received, or if this was a test for select,
1708 * we bail out right after.
1709 */
1715 /*
1716 * Copy out regular data, if any. Do this before copying out control
1717 * data, because the latter is harder to undo on failure. This data
1718 * copy function returns returns OK (0) if we are to return a result of
1719 * zero bytes (which is *not* EOF) to the caller without doing anything
1720 * else. The function returns a nonzero positive segment length if we
1721 * should carry on with the receive call (as it happens, all its other
1722 * returned values may in fact be zero).
1723 */
1729 /*
1730 * Copy out control data, if any: transfer and copy out records of file
1731 * descriptors, and/or copy out sender credentials. This is the last
1732 * part of the call that may fail.
1733 */
1738 /*
1739 * Now that the call has succeeded, move the tail of the receive
1740 * buffer, unless we were merely peeking.
1741 */
1745 else
1748 /*
1749 * If the MSG_WAITALL flag was given, we may still have to suspend the
1750 * call after partial success. In particular, the receive call may
1751 * suspend after partial success if all of these conditions are met:
1752 *
1753 * 1) the socket is a stream-type socket;
1754 * 2) MSG_WAITALL is set;
1755 * 3) MSG_PEEK is not set;
1756 * 4) MSG_DONTWAIT is not set (tested upon return);
1757 * 5) the socket must not have a pending error (tested upon return);
1758 * 6) the socket must not be shut down for reading (tested later);
1759 * 7) the socket must still be connected to a peer (no EOF);
1760 * 8) the peer must not have been shut down for writing (no EOF);
1761 * 9) the next segment, if any, contains no ancillary data.
1762 *
1763 * Together, these points guarantee that the call could conceivably
1764 * receive more after being resumed. Points 4 to 6 are covered by
1765 * libsockevent, which will end the call even if we return SUSPEND
1766 * here. Due to segment merging, we cover point 9 by checking that
1767 * there is currently no next segment at all. Once a new segment
1768 * arrives, the ancillary-data test is done then.
1769 */
1773 else
1775 }
1777 /*
1778 * Test whether a receive request would block. The given 'min' parameter
1779 * contains the minimum number of bytes that should be possible to receive
1780 * without blocking (the low receive watermark). Return SUSPEND if the send
1781 * request would block. Otherwise, return any other error code (including OK
1782 * or SOCKEVENT_EOF), and if 'size' is not a NULL pointer, it should be filled
1783 * with the number of bytes available for receipt right now (if not zero).
1784 * Note that if 'size' is not NULL, 'min' will always be zero.
1785 */
1786 int
1788 {
1803 }