tests/unix_passfd: sending many and too many SCM_RIGHTS

o Exercise bounds checking when sending large set of file descriptors, that can't fit into single control mbuf. o Exercise resource limits checks when receiving a large sets. o Check that socket isn't left in a completely stuck state when we can't receive SCM_RIGHTS due to limits. Current SOCK_STREAM socket would free the control, but leave the data in. This seems to be a legit behavior for a stream socket, as we don't want holes in the data. PR: 239250 Reviewed by: markj Differential revision: https://reviews.freebsd.org/D35315
2022-05-25 13:28:40 -07:00 · 2022-05-25 13:28:40 -07:00 · 23402c83f4
commit 23402c83f4
parent e26ef41f79
1 changed files with 68 additions and 1 deletions
--- a/tests/sys/kern/unix_passfd_test.c
+++ b/tests/sys/kern/unix_passfd_test.c
@ -28,10 +28,12 @@
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");

-#include <sys/types.h>
+#include <sys/param.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
 #include <sys/sysctl.h>
+#include <sys/time.h>
+#include <sys/resource.h>
 #include <sys/un.h>

 #include <errno.h>
@ -369,6 +371,70 @@ ATF_TC_BODY(send_and_shutdown, tc)
 	closesocketpair(fd);
 }

+/*
+ * Send maximum possible SCM_RIGHTS message.
+ * Internally the file descriptors are converted from integers to pointers
+ * and stored in a single mbuf cluster.  Check that we can not send too much
+ * and that we can successfully send maximum possible amount.  Check that we
+ * can not exploit getrlimit(3).
+ */
+#define	MAXFDS	((MCLBYTES - _ALIGN(sizeof(struct cmsghdr)))/sizeof(void *))
+ATF_TC_WITHOUT_HEAD(send_a_lot);
+ATF_TC_BODY(send_a_lot, tc)
+{
+	struct msghdr msghdr;
+	struct iovec iov;
+	struct rlimit rlim;
+	int fd[2], nfds;
+	char *cmsg, ch;
+
+	domainsocketpair(fd);
+	cmsg = malloc(CMSG_SPACE((MAXFDS + 1) * sizeof(int)));
+	ATF_REQUIRE(cmsg != NULL);
+	iov.iov_base = &ch;
+	iov.iov_len = sizeof(ch);
+	msghdr = (struct msghdr ){
+		.msg_control = cmsg,
+		.msg_controllen = CMSG_LEN((MAXFDS + 1) * sizeof(int)),
+		.msg_iov = &iov,
+		.msg_iovlen = 1,
+	};
+
+	/* Sending too much fails. */
+	putfds(cmsg, fd[0], MAXFDS + 1);
+	ATF_REQUIRE(sendmsg(fd[0], &msghdr, 0) == -1);
+	ATF_REQUIRE(errno == EMSGSIZE);
+
+	/* Sending just the right amount works and everything is received. */
+	putfds(cmsg, fd[0], MAXFDS);
+	msghdr.msg_controllen = CMSG_LEN(MAXFDS * sizeof(int));
+	ATF_REQUIRE(sendmsg(fd[0], &msghdr, 0) == 1);
+	nfds = getnfds();
+	ATF_REQUIRE(recvmsg(fd[1], &msghdr, 0) == 1);
+	ATF_REQUIRE(getnfds() == nfds + MAXFDS);
+
+	/* Limit our process open files... */
+	ATF_REQUIRE(getrlimit(RLIMIT_NOFILE, &rlim) == 0);
+	nfds = rlim.rlim_cur = getnfds();
+	ATF_REQUIRE(setrlimit(RLIMIT_NOFILE, &rlim) == 0);
+
+	/* ... and try to receive a single descriptor. */
+	putfds(cmsg, fd[0], 1);
+	msghdr.msg_controllen = CMSG_LEN(sizeof(int));
+	ATF_REQUIRE(sendmsg(fd[0], &msghdr, 0) == 1);
+	ATF_REQUIRE(recvmsg(fd[1], &msghdr, 0) == -1);
+	/* Such attempt shall fail with EMSGSIZE. */
+	ATF_REQUIRE(errno == EMSGSIZE);
+	ATF_REQUIRE(getnfds() == nfds);
+	/*
+	 * For the SOCK_STREAM the above attempt shall free the control in
+	 * the kernel, so that socket isn't left in a stuck state.  Next read
+	 * shall bring us the normal data only.
+	 */
+	ATF_REQUIRE(recvmsg(fd[1], &msghdr, 0) == 1);
+	ATF_REQUIRE(msghdr.msg_controllen == 0);
+}
+
 /*
 * Send two files.  Then receive them.  Make sure they are returned in the
 * right order, and both get there.
@ -756,6 +822,7 @@ ATF_TP_ADD_TCS(tp)
 	ATF_TP_ADD_TC(tp, send_and_close);
 	ATF_TP_ADD_TC(tp, send_and_cancel);
 	ATF_TP_ADD_TC(tp, send_and_shutdown);
+	ATF_TP_ADD_TC(tp, send_a_lot);
 	ATF_TP_ADD_TC(tp, two_files);
 	ATF_TP_ADD_TC(tp, bundle);
 	ATF_TP_ADD_TC(tp, bundle_cancel);