Better handle TCP/IP stack crashes in the TLS compartment.

hlef · davidchisnall · commit ef3fe1965a7e · 2024-05-22T14:51:57.000+01:00
When the TCP/IP stack crashes, API calls to the compartment return
`-ECOMPARTMENTFAIL`. These should be treated similarly to `-ENOTCONN`.

Currently `-ECOMPARTMENTFAIL` failures are not considered by the TLS
compartment and are handled in various (incorrect) ways across the
code-base. Address this.

Signed-off-by: Hugo Lefeuvre &lt;hugo.lefeuvre@scisemi.com&gt;
diff --git a/include/NetAPI.h b/include/NetAPI.h
@@ -163,6 +163,7 @@ NetworkReceiveResult __cheri_compartment("TCPIP")
  *
  * The negative values will be errno values:
  *
+ *  - `-EPERM`: `buffer` and/or `length` are invalid.
  *  - `-EINVAL`: The socket is not valid.
  *  - `-ETIMEDOUT`: The timeout was reached before data could be received.
  *  - `-ENOTCONN`: The socket is not connected.
diff --git a/lib/tls/tls.cc b/lib/tls/tls.cc
@@ -353,18 +353,21 @@ namespace
 				  if ((state & BR_SSL_RECVREC) == BR_SSL_RECVREC)
 				  {
 					  int received = receive_records(t, connection);
-					  if (received == 0 || received == -ENOTCONN)
-					  {
-						  // The link died. After
-						  // getting -ENOTCONN, the
-						  // caller should close the
-						  // TLS socket.
-						  return -ENOTCONN;
-					  }
 					  if (received == -ETIMEDOUT)
 					  {
 						  return -ETIMEDOUT;
 					  }
+					  if (received <= 0)
+					  {
+						  // The receive failed. This
+						  // can happen for a number of
+						  // reasons, but most likely
+						  // if the link died. After
+						  // getting -ENOTCONN, the
+						  // caller of this API should
+						  // close the TLS socket.
+						  return -ENOTCONN;
+					  }
 					  // Next loop iteration, we'll try pulling the
 					  // data out of the TLS engine.
 				  }
@@ -552,6 +555,12 @@ ssize_t tls_connection_send(Timeout *t,
 				  // If there's data ready to send over the network, prioritise
 				  // sending it
 				  auto [sent, unfinished] = send_records(t, connection);
+				  if (sent == -ECOMPARTMENTFAIL)
+				  {
+					  // The TCP/IP stack crashed; tell the
+					  // caller that the link is dead.
+					  return -ENOTCONN;
+				  }
 				  if (sent <= 0)
 				  {
 					  return sent;
@@ -742,6 +751,12 @@ int tls_connection_close(Timeout *t, SObj sealed)
 			{
 				return -ETIMEDOUT;
 			}
+			if (received == -ECOMPARTMENTFAIL)
+			{
+				// The TCP/IP stack crashed; give up and don't
+				// gracefully terminate.
+				break;
+			}
 			if (received <= 0)
 			{
 				// If we failed for any reason other than

Original file line number	Diff line number	Diff line change
`@@ -163,6 +163,7 @@ NetworkReceiveResult __cheri_compartment("TCPIP")`
`163`	`163`	`*`
`164`	`164`	`* The negative values will be errno values:`
`165`	`165`	`*`
	`166`	+ * - `-EPERM`: `buffer` and/or `length` are invalid.
`166`	`167`	* - `-EINVAL`: The socket is not valid.
`167`	`168`	* - `-ETIMEDOUT`: The timeout was reached before data could be received.
`168`	`169`	* - `-ENOTCONN`: The socket is not connected.