Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit07ce243

Browse files
committed
Be more wary about OpenSSL not setting errno on error.
OpenSSL will sometimes return SSL_ERROR_SYSCALL without having seterrno; this is apparently a reflection of recv(2)'s habit of notsetting errno when reporting EOF. Ensure that we treat such casesthe same as read EOF. Previously, we'd frequently report them like"could not accept SSL connection: Success" which is confusing, orworse report them with an unrelated errno left over from someprevious syscall.To fix, ensure that errno is zeroed immediately before the call,and report its value only when it's not zero afterwards; otherwisereport EOF.For consistency, I've applied the same coding pattern in libpq'spqsecure_raw_read(). Bare recv(2) shouldn't really return -1 withoutsetting errno, but in case it does we might as well cope.Per report from Andres Freund. Back-patch to all supported versions.Discussion:https://postgr.es/m/20231208181451.deqnflwxqoehhxpe@awork3.anarazel.de
1 parent3f86867 commit07ce243

File tree

4 files changed

+46
-14
lines changed

4 files changed

+46
-14
lines changed

‎src/backend/libpq/be-secure-openssl.c

Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -450,6 +450,7 @@ be_tls_open_server(Port *port)
450450
* per-thread error queue following another call to an OpenSSL I/O
451451
* routine.
452452
*/
453+
errno=0;
453454
ERR_clear_error();
454455
r=SSL_accept(port->ssl);
455456
if (r <=0)
@@ -486,7 +487,7 @@ be_tls_open_server(Port *port)
486487
WAIT_EVENT_SSL_OPEN_SERVER);
487488
gotoaloop;
488489
caseSSL_ERROR_SYSCALL:
489-
if (r<0)
490+
if (r<0&&errno!=0)
490491
ereport(COMMERROR,
491492
(errcode_for_socket_access(),
492493
errmsg("could not accept SSL connection: %m")));
@@ -711,7 +712,7 @@ be_tls_read(Port *port, void *ptr, size_t len, int *waitfor)
711712
break;
712713
caseSSL_ERROR_SYSCALL:
713714
/* leave it to caller to ereport the value of errno */
714-
if (n!=-1)
715+
if (n!=-1||errno==0)
715716
{
716717
errno=ECONNRESET;
717718
n=-1;
@@ -769,8 +770,14 @@ be_tls_write(Port *port, void *ptr, size_t len, int *waitfor)
769770
n=-1;
770771
break;
771772
caseSSL_ERROR_SYSCALL:
772-
/* leave it to caller to ereport the value of errno */
773-
if (n!=-1)
773+
774+
/*
775+
* Leave it to caller to ereport the value of errno. However, if
776+
* errno is still zero then assume it's a read EOF situation, and
777+
* report ECONNRESET. (This seems possible because SSL_write can
778+
* also do reads.)
779+
*/
780+
if (n!=-1||errno==0)
774781
{
775782
errno=ECONNRESET;
776783
n=-1;

‎src/backend/libpq/pqcomm.c

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -954,6 +954,8 @@ pq_recvbuf(void)
954954
{
955955
intr;
956956

957+
errno=0;
958+
957959
r=secure_read(MyProcPort,PqRecvBuffer+PqRecvLength,
958960
PQ_RECV_BUFFER_SIZE-PqRecvLength);
959961

@@ -966,10 +968,13 @@ pq_recvbuf(void)
966968
* Careful: an ereport() that tries to write to the client would
967969
* cause recursion to here, leading to stack overflow and core
968970
* dump! This message must go *only* to the postmaster log.
971+
*
972+
* If errno is zero, assume it's EOF and let the caller complain.
969973
*/
970-
ereport(COMMERROR,
971-
(errcode_for_socket_access(),
972-
errmsg("could not receive data from client: %m")));
974+
if (errno!=0)
975+
ereport(COMMERROR,
976+
(errcode_for_socket_access(),
977+
errmsg("could not receive data from client: %m")));
973978
returnEOF;
974979
}
975980
if (r==0)
@@ -1046,6 +1051,8 @@ pq_getbyte_if_available(unsigned char *c)
10461051
/* Put the socket into non-blocking mode */
10471052
socket_set_nonblocking(true);
10481053

1054+
errno=0;
1055+
10491056
r=secure_read(MyProcPort,c,1);
10501057
if (r<0)
10511058
{
@@ -1062,10 +1069,13 @@ pq_getbyte_if_available(unsigned char *c)
10621069
* Careful: an ereport() that tries to write to the client would
10631070
* cause recursion to here, leading to stack overflow and core
10641071
* dump! This message must go *only* to the postmaster log.
1072+
*
1073+
* If errno is zero, assume it's EOF and let the caller complain.
10651074
*/
1066-
ereport(COMMERROR,
1067-
(errcode_for_socket_access(),
1068-
errmsg("could not receive data from client: %m")));
1075+
if (errno!=0)
1076+
ereport(COMMERROR,
1077+
(errcode_for_socket_access(),
1078+
errmsg("could not receive data from client: %m")));
10691079
r=EOF;
10701080
}
10711081
}

‎src/interfaces/libpq/fe-secure-openssl.c

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -200,7 +200,7 @@ pgtls_read(PGconn *conn, void *ptr, size_t len)
200200
*/
201201
gotorloop;
202202
caseSSL_ERROR_SYSCALL:
203-
if (n<0)
203+
if (n<0&&SOCK_ERRNO!=0)
204204
{
205205
result_errno=SOCK_ERRNO;
206206
if (result_errno==EPIPE||
@@ -308,7 +308,13 @@ pgtls_write(PGconn *conn, const void *ptr, size_t len)
308308
n=0;
309309
break;
310310
caseSSL_ERROR_SYSCALL:
311-
if (n<0)
311+
312+
/*
313+
* If errno is still zero then assume it's a read EOF situation,
314+
* and report EOF. (This seems possible because SSL_write can
315+
* also do reads.)
316+
*/
317+
if (n<0&&SOCK_ERRNO!=0)
312318
{
313319
result_errno=SOCK_ERRNO;
314320
if (result_errno==EPIPE||result_errno==ECONNRESET)
@@ -1347,10 +1353,12 @@ open_client_SSL(PGconn *conn)
13471353
{
13481354
intr;
13491355

1356+
SOCK_ERRNO_SET(0);
13501357
ERR_clear_error();
13511358
r=SSL_connect(conn->ssl);
13521359
if (r <=0)
13531360
{
1361+
intsave_errno=SOCK_ERRNO;
13541362
interr=SSL_get_error(conn->ssl,r);
13551363
unsigned longecode;
13561364

@@ -1367,10 +1375,10 @@ open_client_SSL(PGconn *conn)
13671375
{
13681376
charsebuf[PG_STRERROR_R_BUFLEN];
13691377

1370-
if (r==-1)
1378+
if (r==-1&&save_errno!=0)
13711379
appendPQExpBuffer(&conn->errorMessage,
13721380
libpq_gettext("SSL SYSCALL error: %s\n"),
1373-
SOCK_STRERROR(SOCK_ERRNO,sebuf,sizeof(sebuf)));
1381+
SOCK_STRERROR(save_errno,sebuf,sizeof(sebuf)));
13741382
else
13751383
appendPQExpBufferStr(&conn->errorMessage,
13761384
libpq_gettext("SSL SYSCALL error: EOF detected\n"));

‎src/interfaces/libpq/fe-secure.c

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -235,6 +235,8 @@ pqsecure_raw_read(PGconn *conn, void *ptr, size_t len)
235235
intresult_errno=0;
236236
charsebuf[PG_STRERROR_R_BUFLEN];
237237

238+
SOCK_ERRNO_SET(0);
239+
238240
n=recv(conn->sock,ptr,len,0);
239241

240242
if (n<0)
@@ -262,6 +264,11 @@ pqsecure_raw_read(PGconn *conn, void *ptr, size_t len)
262264
"\tbefore or while processing the request.\n"));
263265
break;
264266

267+
case0:
268+
/* If errno didn't get set, treat it as regular EOF */
269+
n=0;
270+
break;
271+
265272
default:
266273
appendPQExpBuffer(&conn->errorMessage,
267274
libpq_gettext("could not receive data from server: %s\n"),

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp