Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kern: reply buffer capacity checking #1954

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

kern: reply buffer capacity checking #1954

wants to merge 1 commit into from

Conversation

cbiffle
Copy link
Collaborator

@cbiffle cbiffle commented Dec 14, 2024

The syscall docs say that attempting to reply with a message that's too big for your client to accept is a programming error. Programming errors are expected to produce faults in the program with the error. This fault is documented as being of type ReplyTooLarge.

However, there is no such fault defined in the ABI, and the actual behavior of the kernel is to deliver the prefix of the reply that fits, and hand the client the length of that prefix. In our current world, this means the client will generally die shortly thereafter with a deserialization error.

In a potential future world where messages can contain variable length portions, the client might not even hit an error when the reply is truncated.

The code in the kernel has been marked with a TODO since forever. This commit resolves the TODO by adding a check and fault reason.

@cbiffle cbiffle requested a review from hawkw December 14, 2024 21:50
hawkw
hawkw approved these changes Dec 16, 2024
View reviewed changes
Copy link
Member

@hawkw hawkw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense to me!

sys/abi/src/lib.rs Outdated Show resolved Hide resolved
doc/syscalls.adoc Outdated Show resolved Hide resolved
@cbiffle
kern: reply buffer capacity checking
c482f02 
The syscall docs say that attempting to reply with a message that's too
big for your client to accept is a programming error. Programming errors
are expected to produce faults in the program with the error. This fault
is documented as being of type `ReplyTooLarge`.

However, there is no such fault defined in the ABI, and the actual
behavior of the kernel is to deliver the prefix of the reply that fits,
and hand the client the length of that prefix. In our current world,
this means the client will generally die shortly thereafter with a
deserialization error.

In a potential future world where messages can contain variable length
portions, the client might not even hit an error when the reply is
truncated.

The code in the kernel has been marked with a TODO since forever. This
commit resolves the TODO by adding a check and fault reason.
@cbiffle cbiffle force-pushed the cbiffle/no-truncate-reply branch from 4200e2f to c482f02 Compare December 26, 2024 04:34
@cbiffle cbiffle enabled auto-merge (rebase) December 26, 2024 04:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hawkw hawkw hawkw approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cbiffle @hawkw