Merge lp:~stefan.goetz-deactivatedaccount/hipl/esp-destination-addresses into lp:hipl

 review approve

On Tue, Mar 29, 2011 at 12:44:48AM +0000, Stefan Götz wrote:
>
> Remove memory leaks and unchecked allocations from the firewall.
> Refactor the list of destination addresses associated with an ESP rule
> to use the hip_ll instead of the slist list implementation. Update all
> code handling this list so that memory allocations are checked, memory
> leaks are prevented, an error handling is performed properly.

Does this get rid of all instances of hslist? Yay for getting rid of
one of the duplicated list implementations.

> For reviewing, the commits on this branch are fairly tidy and break
> down the changes nicely.

Indeed they are, thanks. The merge proposal is fine with me, below
are just some minor comments - apply at your own discretion.

If you wish to make this even simpler, you could push r5796 and r5797
from your branch to trunk right away. They are trivial and I hereby
approve them.

> --- firewall/conntrack.c 2011-03-24 17:34:21 +0000
> +++ firewall/conntrack.c 2011-03-29 00:44:44 +0000
> @@ -288,20 +287,19 @@
> -static struct esp_address *get_esp_address(const struct slist *addr_list,
> - const struct in6_addr *addr)
> +static struct esp_address *get_esp_address(const struct hip_ll *const addresses,
> + const struct in6_addr *const addr)

I think you could just push such constifications to trunk directly,
that would make your branches even smaller...

> @@ -321,42 +319,49 @@
>
> - if (!addr_list) {
> - HIP_DEBUG("Esp slist is empty\n");
> - }

I'd say the same for such annoying debug output that we have such
abundant amounts of in HIPL.

> @@ -626,79 +625,104 @@
> + HIP_ASSERT(esp_info);
> + HIP_ASSERT(locator);
> + HIP_ASSERT(seq);
> + HIP_ASSERT(tuple);

nit: Maybe

HIP_ASSERT(esp_info || locator || seq || tuple ||
           esp_info->new_spi == esp_info->old_spi);

?

> + for (unsigned idx = 0; idx < addresses_in_locator; idx += 1) {

Hmmm, declarations inside for loops - I think we generally avoid this.

> + HIP_IFEL(hip_ll_add_first(&new_esp->dst_addresses, esp_address)
> + != 0, -1,

nit: That looks weird, keep it on one line please.

> + HIP_ASSERT(esp_info);
> + HIP_ASSERT(addr);
> + HIP_ASSERT(tuple);

see above

Diego

Hi Diego!

> Does this get rid of all instances of hslist?

Not yet. More hslist killer branches will follow.

> I think you could just push such constifications to trunk directly,
> that would make your branches even smaller...

Thanks for the tip. It made me commit a broken code to trunk. And you'll get rice cake for it - bastard ;-)

> > @@ -626,79 +625,104 @@
> > + HIP_ASSERT(esp_info);
> > + HIP_ASSERT(locator);
> > + HIP_ASSERT(seq);
> > + HIP_ASSERT(tuple);
>
> nit: Maybe
>
> HIP_ASSERT(esp_info || locator || seq || tuple ||
> esp_info->new_spi == esp_info->old_spi);
>
> ?

Not a fan: you lose the information, which pointer exactly was NULL which could aid debugging a lot.

> > + for (unsigned idx = 0; idx < addresses_in_locator; idx += 1) {
>
> Hmmm, declarations inside for loops - I think we generally avoid this.

But, but, but they are nice! Because then they have exactly the scope and visibility that they should have. Is there a con? In doc/HACKING, I found example code that declares such variables outside the for() scope, but there is no explicit rule about it.

> > + HIP_IFEL(hip_ll_add_first(&new_esp->dst_addresses, esp_address)
> > + != 0, -1,
>
> nit: That looks weird, keep it on one line please.

I agree that it looks weird, but where exactly does the weirdness to line-length tradeoff lie? I'm never quite sure how aggressively I should keep lines below 80 columns...

Stefan

On Tue, Mar 29, 2011 at 06:07:29PM +0000, Stefan Götz wrote:
>
> > Does this get rid of all instances of hslist?
>
> Not yet. More hslist killer branches will follow.

I'm looking forward to them :)

> > I think you could just push such constifications to trunk directly,
> > that would make your branches even smaller...
>
> Thanks for the tip. It made me commit a broken code to trunk. And
> you'll get rice cake for it - bastard ;-)

Your feeble attempt at passing blame around fails miserably ;-p

Splitting off sensible parts from larger changes and pushing them into
trunk is a high art. I'm sure you will learn it eventually, but beware
- the road to mastery is littered with rice cakes ;-p

> > > @@ -626,79 +625,104 @@
> > > + HIP_ASSERT(esp_info);
> > > + HIP_ASSERT(locator);
> > > + HIP_ASSERT(seq);
> > > + HIP_ASSERT(tuple);
> >
> > nit: Maybe
> >
> > HIP_ASSERT(esp_info || locator || seq || tuple ||
> > esp_info->new_spi == esp_info->old_spi);
> >
> > ?
>
> Not a fan: you lose the information, which pointer exactly was NULL
> which could aid debugging a lot.

Yeah, you guys convinced me...

> > > + for (unsigned idx = 0; idx < addresses_in_locator; idx += 1) {
> >
> > Hmmm, declarations inside for loops - I think we generally avoid this.
>
> But, but, but they are nice! Because then they have exactly the scope
> and visibility that they should have. Is there a con? In doc/HACKING,
> I found example code that declares such variables outside the for()
> scope, but there is no explicit rule about it.

Since we dropped the idea of -Wdeclaration-after-statement I guess we
can allow them.

> > > + HIP_IFEL(hip_ll_add_first(&new_esp->dst_addresses, esp_address)
> > > + != 0, -1,
> >
> > nit: That looks weird, keep it on one line please.
>
> I agree that it looks weird, but where exactly does the weirdness to
> line-length tradeoff lie? I'm never quite sure how aggressively I
> should keep lines below 80 columns...

Not that aggressively :)

I don't consider it a hard rule, but it sure helps readability if used
with a measure of flexibility. Keeping such expressions together is
where I'd let a line get longer...

Diego

Hi Stefan, thanks for sane linked list handling, at last.

Unfortunately, `hipfw -kd` segfaults during a ping test:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000404e1d in update_esp_address (addresses=0x6d5720,
    addr=0x7fffffffe920, upd_id=0x0) at firewall/conntrack.c:354
354 *esp_addr->update_id = *upd_id;
(gdb) bt
#0 0x0000000000404e1d in update_esp_address (addresses=0x6d5720,
    addr=0x7fffffffe920, upd_id=0x0) at firewall/conntrack.c:354
#1 0x0000000000406ca4 in handle_i2 (common=0x7fffffffd9a0,
    tuple=0x6d45c0, ctx=0x7fffffffe910)
    at firewall/conntrack.c:1066
#2 0x00000000004080c8 in check_packet (ip6_src=0x7fffffffe920,
    ip6_dst=0x7fffffffe930, common=0x7fffffffd9a0, tuple=0x6d45c0,
    verify_responder=0, accept_mobile=1, ctx=0x7fffffffe910)
    at firewall/conntrack.c:1647
#3 0x0000000000408e45 in conntrack (ip6_src=0x7fffffffe920,
    ip6_dst=0x7fffffffe930, buf=0x7fffffffd9a0, ctx=0x7fffffffe910)
    at firewall/conntrack.c:1958
#4 0x0000000000414198 in filter_hip (ip6_src=0x7fffffffe920,
    ip6_dst=0x7fffffffe930, buf=0x7fffffffd9a0, hook=2,
    in_if=0x7fffffffd944 "eth1", out_if=0x7fffffffd954 "eth2",
    ctx=0x7fffffffe910) at firewall/firewall.c:1042
#5 0x0000000000414218 in hip_fw_handle_hip_output (
    ctx=0x7fffffffe910) at firewall/firewall.c:1062
#6 0x0000000000414472 in hip_fw_handle_hip_forward (
    ctx=0x7fffffffe910) at firewall/firewall.c:1172
#7 0x000000000041541b in hip_fw_handle_packet (
    buf=0x7fffffffd910 "\360\002", hndl=0x6b12d0, ip_version=4,
    ctx=0x7fffffffe910) at firewall/firewall.c:1644
#8 0x0000000000415fcd in hipfw_main (rule_file=0x0,
    kill_old=true, limit_capabilities=false)
    at firewall/firewall.c:1881
#9 0x000000000042187e in main (argc=2, argv=0x7fffffffeac8)
    at firewall/main.c:188
(gdb) p esp_addr
$1 = (struct esp_address *) 0x6d50a0
(gdb) p upd_id
$2 = (const uint32_t * const) 0x0
(gdb)

More about that below. Apart from that, the rest is either unrelated or nitpicking.

> === modified file 'firewall/conntrack.c'
> [...]
> @@ -288,20 +287,19 @@
> [...]
> - while (list) {
> - esp_addr = list->data;
> + while (node) {
> + struct esp_address *const esp_addr = node->ptr;

const struct esp_address *const

> + if ((esp_addr = malloc(sizeof(*esp_addr)))) {
> + esp_addr->dst_addr = *addr;
> esp_addr->update_id = NULL;
> + if (upd_id == NULL || (esp_addr->update_id = malloc(sizeof(*esp_addr->update_id)))) {
> + *esp_addr->update_id = *upd_id;

Looks like if upd_id == NULL, the branch will be entered and a NULL dereference triggered.
Also, the return value of malloc() is not checked for NULL.

Did you find out why the update ID is dynamically allocated in the first place?

> + addr = hip_ll_del_first(&esp_tuple->dst_addresses, NULL);
> + while (addr) {
> free(addr->update_id);
> free(addr);
> -
> - free(list);
> - list = esp_tuple->dst_addr_list;
> + addr = hip_ll_del_first(&esp_tuple->dst_addresses, NULL);
> }

Code duplication can be avoided via

while (addr = hip_ll_del_first(......

On Tue, Mar 29, 2011 at 06:38:23PM +0000, Christof Mroz wrote:
> Review: Needs Fixing
> Hi Stefan, thanks for sane linked list handling, at last.
>
> Unfortunately, `hipfw -kd` segfaults during a ping test:

You actually tested somebody else's merge proposal?
10 points for Gryffindor :-)

Diego

Hi Diego!

> Splitting off sensible parts from larger changes and pushing them into
> trunk is a high art.  I'm sure you will learn it eventually, but beware
> - the road to mastery is littered with rice cakes ;-p

Oooh, the rice cake strong in this one is.

>> > Hmmm, declarations inside for loops - I think we generally avoid this.
>>
>> But, but, but they are nice! Because then they have exactly the scope
>> and visibility that they should have. Is there a con? In doc/HACKING,
>> I found example code that declares such variables outside the for()
>> scope, but there is no explicit rule about it.
>
> Since we dropped the idea of -Wdeclaration-after-statement I guess we
> can allow them.

Awesome!

>> I agree that it looks weird, but where exactly does the weirdness to
>> line-length tradeoff lie? I'm never quite sure how aggressively I
>> should keep lines below 80 columns...
>
> Not that aggressively :)
>
> I don't consider it a hard rule, but it sure helps readability if used
> with a measure of flexibility.  Keeping such expressions together is
> where I'd let a line get longer...

I'll try to read your mind better from now on ;-)

Stefan

Hi Christof!

Thanks so much for testing - I really appreciate it!

Wasn't there a plan about some automated testbed? What happened to
that? It'd be fairly cool if one could inject one's branches into such
a testbed for this kind of testing...

>> +    while (node) {
>> +        struct esp_address *const esp_addr = node->ptr;
>
> const struct esp_address *const

ok

>> +    if ((esp_addr = malloc(sizeof(*esp_addr)))) {
>> +        esp_addr->dst_addr  = *addr;
>>          esp_addr->update_id = NULL;
>> +        if (upd_id == NULL || (esp_addr->update_id = malloc(sizeof(*esp_addr->update_id)))) {
>> +            *esp_addr->update_id = *upd_id;
>
> Looks like if upd_id == NULL, the branch will be entered and a NULL dereference triggered.
> Also, the return value of malloc() is not checked for NULL.

ok - obviously, I got the logic wrong there.

> Did you find out why the update ID is dynamically allocated in the first place?

Yes: the update_id for a given destination address may be known or
not. Its value range occupies 32 bits and no magic value is reserved
to indicate the 'unknown' state. Thus, a VCP (very clever person)
decided to encode the 'unknown' state as a NULL pointer. If the
pointer is not NULL, it points to the actual known update ID.

I planned to replace this memory-leak infested mess in a different branch.

> Code duplication can be avoided via
>
> while (addr = hip_ll_del_first(...)) { ... }

Doh - of course!

>> +    HIP_ASSERT(esp_info);
>> +    HIP_ASSERT(locator);
>> +    HIP_ASSERT(seq);
>> +    HIP_ASSERT(tuple);
>> +    HIP_ASSERT(esp_info->new_spi == esp_info->old_spi);
>
> That last assertion looks odd: could this be handled gracefully? I don't know what the RFC says on this though.

The way I understand the code, this is indeed an assertion about code
consistency, i.e. no outsider can trigger this assertion, only someone
who messes up the code in an unintended way.

>> +        HIP_IFEL((new_esp = calloc(1, sizeof(*new_esp))) == NULL, -1,
>> +                 "Allocating esp_tuple object failed");
>>          new_esp->spi   = ntohl(esp_info->new_spi);
>>          new_esp->tuple = tuple;
>> +        hip_ll_init(&new_esp->dst_addresses);
>
> Is this still the state of the art, with your newly added initializer macro?

Yes - the initializer macro is only for static initializations.

>> +        for (unsigned idx = 0; idx < addresses_in_locator; idx += 1) {
>
> Now I'm even more confused about the C99 thing... Please, please tell me that this declaration is allowed :)

Diego just gave it his blessing :)

>> +            struct esp_address *const esp_address =
>> +                malloc(sizeof(*esp_address));
>> +            HIP_IFEL(esp_address == NULL, -1,
>> +                     "Allocating esp_address object for address %i failed",
>> +                     idx);
>> +            esp_address->dst_addr = addresses[idx].address;
>> +            HIP_IFEL(hip_ll_add_first(&new_esp->dst_addresses, esp_address)
>> +                     != 0, -1,
>> +                     "Appending esp_address object %i to list of destination addresses in ESP tuple failed",
>> +                     idx);
>> +            HIP_IFEL((esp_address->u...

On Tue, Mar 29, 2011 at 11:13:28PM +0000, Stefan Götz wrote:
>
> > Splitting off sensible parts from larger changes and pushing them into
> > trunk is a high art.  I'm sure you will learn it eventually, but beware
> > - the road to mastery is littered with rice cakes ;-p
>
> Oooh, the rice cake strong in this one is.

Indeed, my number one spot in the eternal rice cake table will likely
remain uncontested for eons to come ;-)

Diego

On Tue, Mar 29, 2011 at 09:08:34PM +0200, Diego Biurrun wrote:
> On Tue, Mar 29, 2011 at 06:38:23PM +0000, Christof Mroz wrote:
> > Review: Needs Fixing
> > Hi Stefan, thanks for sane linked list handling, at last.
> >
> > Unfortunately, `hipfw -kd` segfaults during a ping test:
>
> You actually tested somebody else's merge proposal?
> 10 points for Gryffindor :-)

Oh, and many thanks for helping with reviews - we can use all the extra
eyes we can get. It's great to not have to rely on my puny C skills to
keep HIPL in a good shape :)

Diego

Hi Christof!

>> +            struct esp_address *const esp_address =
>> +                malloc(sizeof(*esp_address));
>> +            HIP_IFEL(esp_address == NULL, -1,
>> +                     "Allocating esp_address object for address %i failed",
>> +                     idx);
>> +            esp_address->dst_addr = addresses[idx].address;
>> +            HIP_IFEL(hip_ll_add_first(&new_esp->dst_addresses, esp_address)
>> +                     != 0, -1,
>> +                     "Appending esp_address object %i to list of destination addresses in ESP tuple failed",
>> +                     idx);
>> +            HIP_IFEL((esp_address->update_id =
>> +                          malloc(sizeof(*esp_address->update_id))) == NULL, -1,
>> +                     "Allocating update_id object for address %i failed",
>> +                     idx);
>> +            *esp_address->update_id = seq->update_id;
>>          }
>> +
>> +        return new_esp;
>>      }
>> -    return new_esp;
>> +
>> +out_err:
>> +    free_esp_tuple(new_esp);
>> +    return NULL;
>>  }
>
> It's also easier to follow IMO if you deallocated it explicitly and not relied on free_esp_tuple() to clean up a half-initialized item.

I changed my mind: the esp_tuple is always in a state that
free_esp_tuple() can handle so it makes sense to use free_esp_tuple()
instead of re-implementing it.

Stefan

On Wed, 30 Mar 2011 23:28:31 +0200, Stefan Götz
<email address hidden> wrote:

>> It's also easier to follow IMO if you deallocated it explicitly and not
>> relied on free_esp_tuple() to clean up a half-initialized item.
>
> I changed my mind: the esp_tuple is always in a state that
> free_esp_tuple() can handle so it makes sense to use free_esp_tuple()
> instead of re-implementing it.

OK, but it took me a while to understand where the memory is deallocated
(if at all) in case of an error, so a comment would be nice.