Fix failure to remove firewall entries.

hlef · davidchisnall · commit 4748108e4dc7 · 2024-04-08T16:34:14.000+01:00
We do not call the firewall API consistently: when we add entries, we
pass ports in host endianness (see `network_socket_connect_tcp`),
however when we remove them we pass ports in network endianness. As a
result, upon removal, the firewall cannot find the relevant entry in the
table and fails to remove the rule.

Signed-off-by: Hugo Lefeuvre &lt;hugo.lefeuvre@scisemi.com&gt;
diff --git a/lib/tcpip/network_wrapper.cc b/lib/tcpip/network_wrapper.cc
@@ -30,6 +30,27 @@ using CHERI::PermissionSet;
 
 namespace
 {
+	// TODO These should probably be in their own library.
+	uint16_t constexpr ntohs(uint16_t value)
+	{
+		return
+#ifdef __LITTLE_ENDIAN__
+		  __builtin_bswap16(value)
+#else
+		  value
+#endif
+		    ;
+	}
+	uint16_t constexpr htons(uint16_t value)
+	{
+		return
+#ifdef __LITTLE_ENDIAN__
+		  __builtin_bswap16(value)
+#else
+		  value
+#endif
+		    ;
+	}
 
 	/**
 	 * The sealed wrapper around a FreeRTOS socket.
@@ -558,28 +579,27 @@ int network_socket_close(Timeout *t, SObj mallocCapability, SObj sealedSocket)
 		  // mainly if the TCP connection is dead, which is likely to
 		  // happen in practice and has no impact for us.
 		  FreeRTOS_shutdown(socket->socket, FREERTOS_SHUT_RDWR);
+		  auto localPort = ntohs(socket->socket->usLocalPort);
 		  if (socket->socket->bits.bIsIPv6)
 		  {
 			  if (isTCP)
 			  {
-				  firewall_remove_tcpipv6_endpoint(socket->socket->usLocalPort);
+				  firewall_remove_tcpipv6_endpoint(localPort);
 			  }
 			  else
 			  {
-				  firewall_remove_udpipv6_local_endpoint(
-				    socket->socket->usLocalPort);
+				  firewall_remove_udpipv6_local_endpoint(localPort);
 			  }
 		  }
 		  else
 		  {
 			  if (isTCP)
 			  {
-				  firewall_remove_tcpipv4_endpoint(socket->socket->usLocalPort);
+				  firewall_remove_tcpipv4_endpoint(localPort);
 			  }
 			  else
 			  {
-				  firewall_remove_udpipv4_local_endpoint(
-				    socket->socket->usLocalPort);
+				  firewall_remove_udpipv4_local_endpoint(localPort);
 			  }
 		  }
 		  // Close the socket.  Another thread will actually clean up the

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,27 @@ using CHERI::PermissionSet;`
`30`	`30`
`31`	`31`	`namespace`
`32`	`32`	`{`
	`33`	`+ // TODO These should probably be in their own library.`
	`34`	`+ uint16_t constexpr ntohs(uint16_t value)`
	`35`	`+ {`
	`36`	`+ return`
	`37`	`+#ifdef __LITTLE_ENDIAN__`
	`38`	`+ __builtin_bswap16(value)`
	`39`	`+#else`
	`40`	`+ value`
	`41`	`+#endif`
	`42`	`+ ;`
	`43`	`+ }`
	`44`	`+ uint16_t constexpr htons(uint16_t value)`
	`45`	`+ {`
	`46`	`+ return`
	`47`	`+#ifdef __LITTLE_ENDIAN__`
	`48`	`+ __builtin_bswap16(value)`
	`49`	`+#else`
	`50`	`+ value`
	`51`	`+#endif`
	`52`	`+ ;`
	`53`	`+ }`
`33`	`54`
`34`	`55`	`/**`
`35`	`56`	`* The sealed wrapper around a FreeRTOS socket.`
`@@ -558,28 +579,27 @@ int network_socket_close(Timeout *t, SObj mallocCapability, SObj sealedSocket)`
`558`	`579`	`// mainly if the TCP connection is dead, which is likely to`
`559`	`580`	`// happen in practice and has no impact for us.`
`560`	`581`	`FreeRTOS_shutdown(socket->socket, FREERTOS_SHUT_RDWR);`
	`582`	`+ auto localPort = ntohs(socket->socket->usLocalPort);`
`561`	`583`	`if (socket->socket->bits.bIsIPv6)`
`562`	`584`	`{`
`563`	`585`	`if (isTCP)`
`564`	`586`	`{`
`565`		`- firewall_remove_tcpipv6_endpoint(socket->socket->usLocalPort);`
	`587`	`+ firewall_remove_tcpipv6_endpoint(localPort);`
`566`	`588`	`}`
`567`	`589`	`else`
`568`	`590`	`{`
`569`		`- firewall_remove_udpipv6_local_endpoint(`
`570`		`- socket->socket->usLocalPort);`
	`591`	`+ firewall_remove_udpipv6_local_endpoint(localPort);`
`571`	`592`	`}`
`572`	`593`	`}`
`573`	`594`	`else`
`574`	`595`	`{`
`575`	`596`	`if (isTCP)`
`576`	`597`	`{`
`577`		`- firewall_remove_tcpipv4_endpoint(socket->socket->usLocalPort);`
	`598`	`+ firewall_remove_tcpipv4_endpoint(localPort);`
`578`	`599`	`}`
`579`	`600`	`else`
`580`	`601`	`{`
`581`		`- firewall_remove_udpipv4_local_endpoint(`
`582`		`- socket->socket->usLocalPort);`
	`602`	`+ firewall_remove_udpipv4_local_endpoint(localPort);`
`583`	`603`	`}`
`584`	`604`	`}`
`585`	`605`	`// Close the socket. Another thread will actually clean up the`