Page MenuHomeFreeBSD
Differential D48477

netlink: change snl(3) API for more robust handling of malloc errors
AcceptedPublic
Actions

Authored by glebius on Thu, Jan 16, 7:47 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Jan 18, 9:40 AM
Unknown Object (File)
Sat, Jan 18, 7:09 AM
Unknown Object (File)
Sat, Jan 18, 5:41 AM
Subscribers
imp

Details

Reviewers
melifaro
kp
Group Reviewers
network
Summary

Before this change the API was kind of upside down: a function that
allocates memory was returning void, while a function that doesn't
allocate memory neither makes any system calls could fail. The former is
snl_init_writer() and the latter is snl_finalize_msg().

Now result of snl_init_writer() should be checked and snl_finalize_msg()
always succeeds. We don't store the error for the later. This makes
snl_abort_msg() unused inside the library, but we would leave it there,
since it may be used by an application to reset state of the writer.
While here, also assert(3) that the library use is correct, rather than
try to handle the misuse. Certain functions require writer to be an
initialized state, and certain require the opposite.

Note that this change leaves world compilable, as well as utilities
working, but libpftctl now has even more unchecked calls into the snl(3)
library. This will be handled separately.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 61751
Build 58635: arc lint + arc unit

Event Timeline

glebius created this revision.Thu, Jan 16, 7:47 AM
Herald added a subscriber: imp. · View Herald TranscriptThu, Jan 16, 7:47 AM
glebius requested review of this revision.Thu, Jan 16, 7:47 AM
Harbormaster completed remote builds in B61751: Diff 149321.Thu, Jan 16, 7:47 AM
glebius added a child revision: D48478: genl: properly handle possible failures by snl(3) library.Thu, Jan 16, 7:47 AM
glebius added a comment.Thu, Jan 16, 7:53 AM

Note for @kp . Even without this change there is a lot of bad copy & paste in libpfctl and lack of result checking. The change is not expected to break anything beyond current level of brokenness. Once we accept this revision, and maybe a couple future ones, I promise to do a sweep over libpfctl. It is too early to do it now, since I might find more potential malloc failures not propagated to API user as well as general API pitfalls.

kp accepted this revision as: kp.Thu, Jan 16, 11:02 AM
In D48477#1106107, @glebius wrote:

Note for @kp . Even without this change there is a lot of bad copy & paste in libpfctl and lack of result checking. The change is not expected to break anything beyond current level of brokenness. Once we accept this revision, and maybe a couple future ones, I promise to do a sweep over libpfctl. It is too early to do it now, since I might find more potential malloc failures not propagated to API user as well as general API pitfalls.

To be honest, I usually write code on the assumption that memory allocation in userspace never fails. We overallocate by default, so that's the (by far) most common case. Failure code basically never gets tested, and can fairly safely be assumed to be broken.

I'm not going to stop anyone from trying to make it correct, but I'm just not very concerned about it.

sys/netlink/netlink_snl.h
1051

return (false); ?

This revision is now accepted and ready to land.Thu, Jan 16, 11:02 AM
glebius mentioned this in D48478: genl: properly handle possible failures by snl(3) library.Fri, Jan 17, 2:29 AM

Revision Contents
Changeset List

PathSize
sys/
netlink/
65 lines
tests/
sys/
netlink/
16 lines
2 lines

Diff 149321

View Options

sys/netlink/netlink_snl.h

Loading...
View Options

tests/sys/netlink/test_snl.c

Loading...
View Options

tests/sys/netlink/test_snl_generic.c

Loading...