Better handle TCP/IP stack crashes in the TLS compartment.

When the TCP/IP stack crashes, API calls to the compartment return `-ECOMPARTMENTFAIL`. These should be treated similarly to `-ENOTCONN`. Currently `-ECOMPARTMENTFAIL` failures are not considered by the TLS compartment and are handled in various (incorrect) ways across the code-base. Address this. Signed-off-by: Hugo Lefeuvre <[email protected]>
CHERIoT-Platform · May 21, 2024 · ae5d33b · ae5d33b
1 parent 7142e42
commit ae5d33b
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 8 deletions.
diff --git a/include/NetAPI.h b/include/NetAPI.h
@@ -163,6 +163,7 @@ NetworkReceiveResult __cheri_compartment("TCPIP")
  *
  * The negative values will be errno values:
  *
+ *  - `-EPERM`: `buffer` and/or `length` are invalid.
  *  - `-EINVAL`: The socket is not valid.
  *  - `-ETIMEDOUT`: The timeout was reached before data could be received.
  *  - `-ENOTCONN`: The socket is not connected.

diff --git a/lib/tls/tls.cc b/lib/tls/tls.cc
@@ -353,18 +353,21 @@ namespace
 				  if ((state & BR_SSL_RECVREC) == BR_SSL_RECVREC)
 				  {
 					  int received = receive_records(t, connection);
-					  if (received == 0 || received == -ENOTCONN)
-					  {
-						  // The link died. After
-						  // getting -ENOTCONN, the
-						  // caller should close the
-						  // TLS socket.
-						  return -ENOTCONN;
-					  }
 					  if (received == -ETIMEDOUT)
 					  {
 						  return -ETIMEDOUT;
 					  }
+					  if (received <= 0)
+					  {
+						  // The receive failed. This
+						  // can happen for a number of
+						  // reasons, but most likely
+						  // if the link died. After
+						  // getting -ENOTCONN, the
+						  // caller of this API should
+						  // close the TLS socket.
+						  return -ENOTCONN;
+					  }
 					  // Next loop iteration, we'll try pulling the
 					  // data out of the TLS engine.
 				  }
@@ -552,6 +555,12 @@ ssize_t tls_connection_send(Timeout *t,
 				  // If there's data ready to send over the network, prioritise
 				  // sending it
 				  auto [sent, unfinished] = send_records(t, connection);
+				  if (sent == -ECOMPARTMENTFAIL)
+				  {
+					  // The TCP/IP stack crashed; tell the
+					  // caller that the link is dead.
+					  return -ENOTCONN;
+				  }
 				  if (sent <= 0)
 				  {
 					  return sent;
@@ -742,6 +751,12 @@ int tls_connection_close(Timeout *t, SObj sealed)
 			{
 				return -ETIMEDOUT;
 			}
+			if (received == -ECOMPARTMENTFAIL)
+			{
+				// The TCP/IP stack crashed; give up and don't
+				// gracefully terminate.
+				break;
+			}
 			if (received <= 0)
 			{
 				// If we failed for any reason other than