Ensure remote-address is allowed when creating UDP stream
#7648
Conversation
|
I've addressed the PR feedback:
@alexcrichton I'm not sure what the testing story should look like here. I don't see where the wasi implementations are being tested against non-default |
|
I wrote up some thoughts here for how this might be tested (in case anyone lands on this PR in the future) |
rylev
force-pushed
the
udp-perform-addr-checking
branch
from
0be2877 to
ce08758
Compare
crates/wasi/src/preview2/udp.rs
Outdated
| /// The pool of allowed address | ||
| pub(crate) pool: Arc<Pool>, |
There was a problem hiding this comment.
Could this start as None to represent that it's bound-late? That could also help overwriting it by accident by only writing to it if it's None
There was a problem hiding this comment.
Pushed a change that does this, but I have a question about the exact desired semantics of start-bind. Take the following_example:
// `bad_addr` is an address that is not permitted
assert!(sock.start_bind(bad_addr).is_err());
// `good_addr` is permitted
sock.start_bind(good_addr);As currently written the second call to start-bind will fail with InvalidState since the pool has already been set on the socket. Is this right? Previously, this would have succeeded. I would imagine that start_bind should be allowed to be called multiple times as long as the socket has not successfully been bound before.
There was a problem hiding this comment.
I removed the check that the pool was not previously set as this broke some tests. Once we decide on what the semantics should be, I can adjust.
There was a problem hiding this comment.
cc @badeend on this you are probably best-equipped to answer this
There was a problem hiding this comment.
From the API's perspective, unbound sockets (Default) never need a pool, and all other states (BindStarted, Bound, Connected) could've only be reached by calling bind at some point, so they always have access to a pool. A way to codify this could be:
pub(crate) enum UdpState {
Default,
BindStarted(Arc<Pool>),
Bound(Arc<Pool>),
Connected(Arc<Pool>),
}Also, OutgoingDatagramStream's pool field doesn't have to be optional, because you can never call stream on an unbound socket.
As currently written the second call to start-bind will fail with InvalidState since the pool has already been set on the socket. Is this right?
From the caller's perspective, the start-bind call should preferably succeed or fail atomically. Using the enum layout above would automagically fix that.
rylev
force-pushed
the
udp-perform-addr-checking
branch
from
84c51e4 to
a9e2dd8
Compare
Signed-off-by: Ryan Levick <ryan.levick@fermyon.com>
Signed-off-by: Ryan Levick <ryan.levick@fermyon.com>
Signed-off-by: Ryan Levick <ryan.levick@fermyon.com>
Signed-off-by: Ryan Levick <ryan.levick@fermyon.com>
rylev
force-pushed
the
udp-perform-addr-checking
branch
from
a9e2dd8 to
c33c918
Compare
Signed-off-by: Ryan Levick <ryan.levick@fermyon.com>
rylev
force-pushed
the
udp-perform-addr-checking
branch
from
c33c918 to
350c31c
Compare
|
I'm gonna go ahead and queue this for merge, and @rylev says they're happy to follow-up on semantic changes in a follow-up. |
Until now, the
remote-addressargument towasi:sockets/udp-socket#streamwas not checked against thePoolof allowed IP addresses. Now, we store thePoolfromnetworkinto thesocketobject inwasi:sockets/udp-socket#bindand later use thatPoolinwasi:sockets/udp-socket#streamto check thatremote-addressis allowed.The check itself is a bit hacky since
Pooldoesn't seem to expose a way to just check an address so we usePoolExtto create aUdpConnecterwhich we will fail if we don't have permission to connect to the remote address.I can add a test once I figure out the testing story in #7647