| commit | 0f24d66648f454c69677852c34d29e0b4693fbe4 | |
| author | Eric Blake <eblake@redhat.com> | |
| Sat, 18 Nov 2017 22:31:00 +0000 (18 16:31 -0600) | ||
| committer | Eric Blake <eblake@redhat.com> | |
| Mon, 20 Nov 2017 12:55:26 +0000 (20 06:55 -0600) | ||
| tree | 68d524d02db9ee9ad7e3662873c9d5f43bbb8743 | treesnapshot (tar.gz zip) |
| parent | 26fd6c525f50ebe1166a917d81f54734259f654e | commitdiff |
cleanup: Add ACQUIRE_LOCK_FOR_CURRENT_SCOPE()
Add a new macro that lets us easily code a mutex cleanup no
matter how we leave a scope, which relies on the gcc/clang
extension of __attribute__((cleanup)). Note that there is
no semi-safe fallback possible to unlock a mutex once we rely
on cleanup semantics: eliding the attribute would deadlock,
and not defining the macro at all would fail to compile for
those old compilers. Our configure check was already warning
users about non-modern compilers (and no one was complaining),
so strengthen the probe into a full-time requirement that
refuses to configure without a decent compiler.
Another argument in favor of making cleanup support mandatory:
it is trivial to write an ill-behaved client that does a tight
loop in opening a connection, requesting an NBD_CMD_WRITE with
a 64M payload, then hanging up without actually sending the
data. But since connections.c uses CLEANUP_FREE for the 64M
buffer under client control, and our (previous) behavior for a
deficient compiler was to simply elide the cleanup call and
thus leak memory, the bad client can mount a DoS attack against
real clients by forcing nbdkit compiled without cleanup support
to run out of memory very quickly (nbdkit compiled with cleanup
support is immune).
Based on an idea in libguestfs, courtesy of Richard Jones.
Signed-off-by: Eric Blake <eblake@redhat.com>
Add a new macro that lets us easily code a mutex cleanup no
matter how we leave a scope, which relies on the gcc/clang
extension of __attribute__((cleanup)). Note that there is
no semi-safe fallback possible to unlock a mutex once we rely
on cleanup semantics: eliding the attribute would deadlock,
and not defining the macro at all would fail to compile for
those old compilers. Our configure check was already warning
users about non-modern compilers (and no one was complaining),
so strengthen the probe into a full-time requirement that
refuses to configure without a decent compiler.
Another argument in favor of making cleanup support mandatory:
it is trivial to write an ill-behaved client that does a tight
loop in opening a connection, requesting an NBD_CMD_WRITE with
a 64M payload, then hanging up without actually sending the
data. But since connections.c uses CLEANUP_FREE for the 64M
buffer under client control, and our (previous) behavior for a
deficient compiler was to simply elide the cleanup call and
thus leak memory, the bad client can mount a DoS attack against
real clients by forcing nbdkit compiled without cleanup support
to run out of memory very quickly (nbdkit compiled with cleanup
support is immune).
Based on an idea in libguestfs, courtesy of Richard Jones.
Signed-off-by: Eric Blake <eblake@redhat.com>
| configure.ac | diffblobblamehistory | |
| src/cleanup.c | diffblobblamehistory | |
| src/internal.h | diffblobblamehistory |