capsules_extra/net/udp/
udp_port_table.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
// Licensed under the Apache License, Version 2.0 or the MIT License.
// SPDX-License-Identifier: Apache-2.0 OR MIT
// Copyright Tock Contributors 2022.

//! In-kernel structure for tracking UDP ports bound by capsules.
//!
//! When kernel capsules wish to send or receive UDP packets, the UDP sending / receiving
//! capsules will only allow this if the capsule has bound to the port it wishes to
//! send from / receive on. Binding to a port is accomplished via calls on the
//! `UdpPortManager` struct defined in this file. Calls to bind on this table enforce that only
//! one capsule can be bound to a given port at any time. Once capsules successfully bind
//! using this table, they receive back binding structures (`UdpPortBindingTx`/`UdpPortBindingRx`)
//! that act as proof that the holder
//! is bound to that port. These structures can only be created within this file, and calls
//! to unbind must consume these structures, enforcing this invariant.
//! The UDP tx/rx capsules require these bindings be passed in order to send/receive on a given
//! port. Separate bindings are used for sending and receiving because the UdpReceiver must
//! hold onto the binding for as long as a capsule wishes to receive packets on a port, so
//! a separate binding must be available to enable sending packets on a port while
//! listening on the same port.
//!
//! To reduce the size of data structures required for this task, a fixed size
//! array is used to store bindings in the kernel. This means that a limited
//! number of bindings can be stored at any point in time. Reserving a slot
//! in this table is done by requesting a socket, which represents a reserved slot.
//! These sockets are then used to request bindings on a particular port.
//!
//! This file only stores information about which ports are bound by capsules.
//! The files `udp_send.rs` and `udp_recv.rs` enforce that only capsules possessing
//! the correct bindings can actually send / recv on a given port.
//!
//! Userspace port bindings are managed separately by the userspace UDP driver
//! (`capsules/src/net/udp/driver.rs`), because apps can be dynamically added or
//! removed. Bindings for userspace apps are stored in the grant regions of each app,
//! such that removing an app automatically unbinds it. This file is able to query the
//! userspace UDP driver to check which ports are bound, and vice-versa, such that
//! exclusive access to ports between userspace apps and capsules is still enforced.

use crate::net::network_capabilities::{NetworkCapability, UdpVisibilityCapability};

use core::fmt;

use kernel::capabilities::{CreatePortTableCapability, UdpDriverCapability};
use kernel::utilities::cells::{OptionalCell, TakeCell};
use kernel::ErrorCode;

// Sets the maximum number of UDP ports that can be bound by capsules. Reducing this number
// can save a small amount of memory, and slightly reduces the overhead of iterating through the
// table to check whether a port is already bound. Note: if this numberis changed,
// port_table_test2 in udp_lowpan_test.rs will fail since it tests the capacity of
// the port table -- therefore that test should be modified when MAX_NUM_BOUND_PORTS
// is.
pub const MAX_NUM_BOUND_PORTS: usize = 16;

/// Conveys what port is bound at the given index.
///
/// If no port is bound, the value stored at that location in the
/// table is Unbound.
#[derive(Clone, Copy, PartialEq)]
pub enum SocketBindingEntry {
    Port(u16),
    Unbound,
}

/// The PortQuery trait enables the UdpPortManager to query the userspace bound
/// ports in the UDP driver. The UDP driver struct implements this trait.
pub trait PortQuery {
    fn is_bound(&self, port: u16) -> bool;
}

/// Provides a handle into the bound port table.
///
/// When binding to a port, the socket is consumed and Udp{Sender,
/// Receiver}Binding structs are returned. When undbinding, the socket
/// is returned and can be used to bind to other ports.
#[derive(Debug)]
pub struct UdpSocket {
    idx: usize,
    port_table: &'static UdpPortManager,
}

/// Maps bound ports to userspace port bindings.
pub struct UdpPortManager {
    port_array: TakeCell<'static, [Option<SocketBindingEntry>]>,
    user_ports: OptionalCell<&'static dyn PortQuery>,
    udp_vis: &'static UdpVisibilityCapability,
}

impl fmt::Debug for UdpPortManager {
    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
        write!(f, "[Port Table]")
    }
}

impl UdpSocket {
    // important that this function is not public. If it were, capsules could
    // obtain access to ports bound by other capsules
    fn new(idx: usize, pt: &'static UdpPortManager) -> UdpSocket {
        UdpSocket {
            idx,
            port_table: pt,
        }
    }
}

impl Drop for UdpSocket {
    fn drop(&mut self) {
        self.port_table.destroy_socket(self);
    }
}

/// An opaque descriptor that allows the holder to obtain a binding on a port
/// for receiving UDP packets.
#[derive(Debug)]
pub struct UdpPortBindingRx {
    idx: usize,
    port: u16,
}

/// An opaque descriptor that allows the holder to obtain a binding on a port
/// for sending UDP packets.
#[derive(Debug)]
pub struct UdpPortBindingTx {
    idx: usize,
    port: u16,
}

impl UdpPortBindingTx {
    fn new(idx: usize, port: u16) -> UdpPortBindingTx {
        UdpPortBindingTx { idx, port }
    }

    pub fn get_port(&self) -> u16 {
        self.port
    }
}

impl UdpPortBindingRx {
    fn new(idx: usize, port: u16) -> UdpPortBindingRx {
        UdpPortBindingRx { idx, port }
    }

    pub fn get_port(&self) -> u16 {
        self.port
    }
}

impl UdpPortManager {
    // Require capability so that the port table is only created by kernel
    pub fn new(
        _cap: &dyn CreatePortTableCapability,
        used_kernel_ports: &'static mut [Option<SocketBindingEntry>],
        udp_vis: &'static UdpVisibilityCapability,
    ) -> UdpPortManager {
        UdpPortManager {
            port_array: TakeCell::new(used_kernel_ports),
            user_ports: OptionalCell::empty(),
            udp_vis,
        }
    }

    // This function is called to set a reference to the UDP driver, so that the ports
    // bound by applications can be queried from within this file.
    pub fn set_user_ports(
        &self,
        user_ports_ref: &'static dyn PortQuery,
        _driver_cap: &dyn UdpDriverCapability,
    ) {
        self.user_ports.replace(user_ports_ref);
    }

    /// Called by capsules that would like to eventually be able to bind to a
    /// UDP port. This call will succeed unless MAX_NUM_BOUND_PORTS capsules
    /// have already bound to a port.
    pub fn create_socket(&'static self) -> Result<UdpSocket, Result<(), ErrorCode>> {
        self.port_array
            .map_or(Err(Err(ErrorCode::NOSUPPORT)), |table| {
                let mut result: Result<UdpSocket, Result<(), ErrorCode>> =
                    Err(Err(ErrorCode::FAIL));
                for i in 0..MAX_NUM_BOUND_PORTS {
                    match table[i] {
                        None => {
                            result = Ok(UdpSocket::new(i, self));
                            table[i] = Some(SocketBindingEntry::Unbound);
                            break;
                        }
                        _ => (),
                    }
                }
                result
            })
    }

    /// Called when sockets are dropped to free their slots in the table.
    /// The slot in the table is only freed if the socket that is dropped is
    /// unbound. If the slot is bound, the socket is being dropped after a call to
    /// bind(), and the slot in the table should remain reserved.
    fn destroy_socket(&self, socket: &UdpSocket) {
        self.port_array.map(|table| match table[socket.idx] {
            Some(entry) => {
                if entry == SocketBindingEntry::Unbound {
                    table[socket.idx] = None;
                }
            }
            _ => {}
        });
    }

    /// Check if a given port is already bound, by either an app or capsule.
    pub fn is_bound(&self, port: u16) -> Result<bool, ()> {
        // First, check the user bindings.
        if self.user_ports.is_none() {
            return Err(());
        }
        let user_bound = self
            .user_ports
            .map_or(true, |port_query| port_query.is_bound(port));
        if user_bound {
            return Ok(true);
        };
        let ret = self
            .port_array
            .map(|table| {
                let mut port_exists = false;
                for i in 0..MAX_NUM_BOUND_PORTS {
                    match table[i] {
                        Some(SocketBindingEntry::Port(p)) => {
                            if p == port {
                                port_exists = true;
                                break;
                            }
                        }
                        _ => (),
                    }
                }
                port_exists
            })
            .unwrap();
        Ok(ret)
    }

    /// Called by capsules that have already reserved a socket to attempt to bind to
    /// a UDP port. The socket is passed by value.
    /// On success, bindings is returned. On failure, the same
    /// UdpSocket is returned.
    pub fn bind(
        &self,
        socket: UdpSocket,
        port: u16,
        net_cap: &'static NetworkCapability,
    ) -> Result<(UdpPortBindingTx, UdpPortBindingRx), UdpSocket> {
        if net_cap.local_port_valid(port, self.udp_vis) {
            match self.is_bound(port) {
                Ok(bound) => {
                    if bound {
                        Err(socket)
                    } else {
                        self.port_array
                            .map(|table| {
                                table[socket.idx] = Some(SocketBindingEntry::Port(port));
                                let binding_pair = (
                                    UdpPortBindingTx::new(socket.idx, port),
                                    UdpPortBindingRx::new(socket.idx, port),
                                );
                                // Add socket to the linked list.
                                Ok(binding_pair)
                            })
                            .unwrap()
                    }
                }
                Err(()) => Err(socket),
            }
        } else {
            Err(socket)
        }
    }

    /// Disassociate the port from the given binding. Return the socket associated
    /// with the passed bindings. On Err, return the passed bindings.
    pub fn unbind(
        &'static self,
        sender_binding: UdpPortBindingTx,
        receiver_binding: UdpPortBindingRx,
    ) -> Result<UdpSocket, (UdpPortBindingTx, UdpPortBindingRx)> {
        // Verify that the indices match up
        if sender_binding.idx != receiver_binding.idx {
            return Err((sender_binding, receiver_binding));
        }
        let idx = sender_binding.idx;
        self.port_array.map(|table| {
            table[idx] = Some(SocketBindingEntry::Unbound);
        });
        // Search the list and return the appropriate socket
        Ok(UdpSocket::new(idx, self))
    }
}