Loading Dns64Configuration.h +1 −0 Original line number Diff line number Diff line Loading @@ -20,6 +20,7 @@ #include <netinet/in.h> #include <condition_variable> #include <cstdlib> #include <functional> #include <mutex> #include <unordered_map> Loading Experiments.h +1 −0 Original line number Diff line number Diff line Loading @@ -17,6 +17,7 @@ #pragma once #include <climits> #include <functional> #include <map> #include <mutex> #include <string> Loading doh/boot_time.rs +6 −10 Original line number Diff line number Diff line Loading @@ -57,8 +57,7 @@ impl BootTime { /// Gets a `BootTime` representing the current moment in time. pub fn now() -> BootTime { let mut t = libc::timespec { tv_sec: 0, tv_nsec: 0 }; // # Safety // clock_gettime's only action will be to possibly write to the pointer provided, // SAFETY: clock_gettime's only action will be to possibly write to the pointer provided, // and no borrows exist from that object other than the &mut used to construct the pointer // itself. if unsafe { libc::clock_gettime(libc::CLOCK_BOOTTIME, &mut t as *mut libc::timespec) } != 0 Loading Loading @@ -93,9 +92,8 @@ struct TimerFd(RawFd); impl Drop for TimerFd { fn drop(&mut self) { // # Safety // The fd is owned by the TimerFd struct, and no memory access occurs as a result of this // call. // SAFETY: The fd is owned by the TimerFd struct, and no memory access occurs as a result of // this call. unsafe { libc::close(self.0); } Loading @@ -110,9 +108,8 @@ impl AsRawFd for TimerFd { impl TimerFd { fn create() -> io::Result<Self> { // # Unsafe // This libc call will either give us back a file descriptor or fail, it does not act on // memory or resources. // SAFETY: This libc call will either give us back a file descriptor or fail, it does not // act on memory or resources. let raw = unsafe { libc::timerfd_create(libc::CLOCK_BOOTTIME, libc::TFD_NONBLOCK | libc::TFD_CLOEXEC) }; Loading @@ -131,8 +128,7 @@ impl TimerFd { tv_nsec: duration.subsec_nanos().try_into().unwrap(), }, }; // # Unsafe // We own `timer` and there are no borrows to it other than the pointer we pass to // SAFETY: We own `timer` and there are no borrows to it other than the pointer we pass to // timerfd_settime. timerfd_settime is explicitly documented to handle a null output // parameter for its fourth argument by not filling out the output. The fd passed in at // self.0 is owned by the `TimerFd` struct, so we aren't breaking anyone else's invariants. Loading doh/connection/mod.rs +1 −1 Original line number Diff line number Diff line Loading @@ -61,7 +61,7 @@ fn new_scid() -> [u8; quiche::MAX_CONN_ID_LEN] { fn mark_socket(socket: &std::net::UdpSocket, socket_mark: u32) -> io::Result<()> { use std::os::unix::io::AsRawFd; let fd = socket.as_raw_fd(); // libc::setsockopt is a wrapper function calling into bionic setsockopt. // SAFETY: libc::setsockopt is a wrapper function calling into bionic setsockopt. // The only pointer being passed in is &socket_mark, which is valid by virtue of being a // reference, and the foreign function doesn't take ownership or a reference to that memory // after completion. Loading doh/ffi.rs +38 −16 Original line number Diff line number Diff line Loading @@ -35,8 +35,12 @@ use tokio::sync::oneshot; use tokio::task; use url::Url; pub type ValidationCallback = extern "C" fn(net_id: uint32_t, success: bool, ip_addr: *const c_char, host: *const c_char); pub type ValidationCallback = unsafe extern "C" fn( net_id: uint32_t, success: bool, ip_addr: *const c_char, host: *const c_char, ); pub type TagSocketCallback = extern "C" fn(sock: RawFd); #[repr(C)] Loading @@ -61,7 +65,9 @@ fn wrap_validation_callback(validation_fn: ValidationCallback) -> ValidationRepo } }; let netd_id = info.net_id; task::spawn_blocking(move || { // SAFETY: The string pointers are obtained from `CString`, so they must be valid C // strings. task::spawn_blocking(move || unsafe { validation_fn(netd_id, success, ip_addr.as_ptr(), domain.as_ptr()) }) .await Loading Loading @@ -167,12 +173,16 @@ pub extern "C" fn doh_dispatcher_new( } /// Deletes a DoH engine created by doh_dispatcher_new(). /// /// # Safety /// /// `doh` must be a non-null pointer previously created by `doh_dispatcher_new()` /// and not yet deleted by `doh_dispatcher_delete()`. #[no_mangle] pub unsafe extern "C" fn doh_dispatcher_delete(doh: *mut DohDispatcher) { Box::from_raw(doh).lock().exit_handler() // SAFETY: The caller guarantees that `doh` was created by `doh_dispatcher_new` (which does so // using `Box::into_raw`), and that it hasn't yet been deleted by this function. unsafe { Box::from_raw(doh) }.lock().exit_handler() } /// Probes and stores the DoH server with the given configurations. Loading @@ -194,12 +204,15 @@ pub unsafe extern "C" fn doh_net_new( network_type: uint32_t, private_dns_mode: uint32_t, ) -> int32_t { let (url, domain, ip_addr, cert_path) = match ( // SAFETY: The caller guarantees that these are all valid nul-terminated C strings. let (url, domain, ip_addr, cert_path) = match unsafe { ( std::ffi::CStr::from_ptr(url).to_str(), std::ffi::CStr::from_ptr(domain).to_str(), std::ffi::CStr::from_ptr(ip_addr).to_str(), std::ffi::CStr::from_ptr(cert_path).to_str(), ) { ) } { (Ok(url), Ok(domain), Ok(ip_addr), Ok(cert_path)) => { if domain.is_empty() { (url, None, ip_addr.to_string(), None) Loading Loading @@ -268,7 +281,9 @@ pub unsafe extern "C" fn doh_query( response_len: size_t, timeout_ms: uint64_t, ) -> ssize_t { let q = slice::from_raw_parts_mut(dns_query, dns_query_len); // SAFETY: The caller guarantees that `dns_query` is a valid pointer to a buffer of at least // `dns_query_len` items. let q = unsafe { slice::from_raw_parts_mut(dns_query, dns_query_len) }; let (resp_tx, resp_rx) = oneshot::channel(); let t = Duration::from_millis(timeout_ms); Loading Loading @@ -298,7 +313,10 @@ pub unsafe extern "C" fn doh_query( if answer.len() > response_len || answer.len() > isize::MAX as usize { return DOH_RESULT_INTERNAL_ERROR; } let response = slice::from_raw_parts_mut(response, answer.len()); // SAFETY: The caller guarantees that response points to a valid buffer at // least `response_len` long, and we just checked that `answer.len()` is no // longer than `response_len`. let response = unsafe { slice::from_raw_parts_mut(response, answer.len()) }; response.copy_from_slice(&answer); answer.len() as ssize_t } Loading Loading @@ -341,25 +359,27 @@ mod tests { const LOOPBACK_ADDR: &str = "127.0.0.1:443"; const LOCALHOST_URL: &str = "https://mylocal.com/dns-query"; extern "C" fn success_cb( unsafe extern "C" fn success_cb( net_id: uint32_t, success: bool, ip_addr: *const c_char, host: *const c_char, ) { assert!(success); // SAFETY: The caller guarantees that ip_addr and host are valid nul-terminated C strings. unsafe { assert_validation_info(net_id, ip_addr, host); } } extern "C" fn fail_cb( unsafe extern "C" fn fail_cb( net_id: uint32_t, success: bool, ip_addr: *const c_char, host: *const c_char, ) { assert!(!success); // SAFETY: The caller guarantees that ip_addr and host are valid nul-terminated C strings. unsafe { assert_validation_info(net_id, ip_addr, host); } Loading @@ -373,10 +393,12 @@ mod tests { host: *const c_char, ) { assert_eq!(net_id, TEST_NET_ID); let ip_addr = std::ffi::CStr::from_ptr(ip_addr).to_str().unwrap(); // SAFETY: The caller guarantees that `ip_addr` is a valid nul-terminated C string. let ip_addr = unsafe { std::ffi::CStr::from_ptr(ip_addr) }.to_str().unwrap(); let expected_addr: SocketAddr = LOOPBACK_ADDR.parse().unwrap(); assert_eq!(ip_addr, expected_addr.ip().to_string()); let host = std::ffi::CStr::from_ptr(host).to_str().unwrap(); // SAFETY: The caller guarantees that `host` is a valid nul-terminated C string. let host = unsafe { std::ffi::CStr::from_ptr(host) }.to_str().unwrap(); assert_eq!(host, ""); } Loading Loading
Dns64Configuration.h +1 −0 Original line number Diff line number Diff line Loading @@ -20,6 +20,7 @@ #include <netinet/in.h> #include <condition_variable> #include <cstdlib> #include <functional> #include <mutex> #include <unordered_map> Loading
Experiments.h +1 −0 Original line number Diff line number Diff line Loading @@ -17,6 +17,7 @@ #pragma once #include <climits> #include <functional> #include <map> #include <mutex> #include <string> Loading
doh/boot_time.rs +6 −10 Original line number Diff line number Diff line Loading @@ -57,8 +57,7 @@ impl BootTime { /// Gets a `BootTime` representing the current moment in time. pub fn now() -> BootTime { let mut t = libc::timespec { tv_sec: 0, tv_nsec: 0 }; // # Safety // clock_gettime's only action will be to possibly write to the pointer provided, // SAFETY: clock_gettime's only action will be to possibly write to the pointer provided, // and no borrows exist from that object other than the &mut used to construct the pointer // itself. if unsafe { libc::clock_gettime(libc::CLOCK_BOOTTIME, &mut t as *mut libc::timespec) } != 0 Loading Loading @@ -93,9 +92,8 @@ struct TimerFd(RawFd); impl Drop for TimerFd { fn drop(&mut self) { // # Safety // The fd is owned by the TimerFd struct, and no memory access occurs as a result of this // call. // SAFETY: The fd is owned by the TimerFd struct, and no memory access occurs as a result of // this call. unsafe { libc::close(self.0); } Loading @@ -110,9 +108,8 @@ impl AsRawFd for TimerFd { impl TimerFd { fn create() -> io::Result<Self> { // # Unsafe // This libc call will either give us back a file descriptor or fail, it does not act on // memory or resources. // SAFETY: This libc call will either give us back a file descriptor or fail, it does not // act on memory or resources. let raw = unsafe { libc::timerfd_create(libc::CLOCK_BOOTTIME, libc::TFD_NONBLOCK | libc::TFD_CLOEXEC) }; Loading @@ -131,8 +128,7 @@ impl TimerFd { tv_nsec: duration.subsec_nanos().try_into().unwrap(), }, }; // # Unsafe // We own `timer` and there are no borrows to it other than the pointer we pass to // SAFETY: We own `timer` and there are no borrows to it other than the pointer we pass to // timerfd_settime. timerfd_settime is explicitly documented to handle a null output // parameter for its fourth argument by not filling out the output. The fd passed in at // self.0 is owned by the `TimerFd` struct, so we aren't breaking anyone else's invariants. Loading
doh/connection/mod.rs +1 −1 Original line number Diff line number Diff line Loading @@ -61,7 +61,7 @@ fn new_scid() -> [u8; quiche::MAX_CONN_ID_LEN] { fn mark_socket(socket: &std::net::UdpSocket, socket_mark: u32) -> io::Result<()> { use std::os::unix::io::AsRawFd; let fd = socket.as_raw_fd(); // libc::setsockopt is a wrapper function calling into bionic setsockopt. // SAFETY: libc::setsockopt is a wrapper function calling into bionic setsockopt. // The only pointer being passed in is &socket_mark, which is valid by virtue of being a // reference, and the foreign function doesn't take ownership or a reference to that memory // after completion. Loading
doh/ffi.rs +38 −16 Original line number Diff line number Diff line Loading @@ -35,8 +35,12 @@ use tokio::sync::oneshot; use tokio::task; use url::Url; pub type ValidationCallback = extern "C" fn(net_id: uint32_t, success: bool, ip_addr: *const c_char, host: *const c_char); pub type ValidationCallback = unsafe extern "C" fn( net_id: uint32_t, success: bool, ip_addr: *const c_char, host: *const c_char, ); pub type TagSocketCallback = extern "C" fn(sock: RawFd); #[repr(C)] Loading @@ -61,7 +65,9 @@ fn wrap_validation_callback(validation_fn: ValidationCallback) -> ValidationRepo } }; let netd_id = info.net_id; task::spawn_blocking(move || { // SAFETY: The string pointers are obtained from `CString`, so they must be valid C // strings. task::spawn_blocking(move || unsafe { validation_fn(netd_id, success, ip_addr.as_ptr(), domain.as_ptr()) }) .await Loading Loading @@ -167,12 +173,16 @@ pub extern "C" fn doh_dispatcher_new( } /// Deletes a DoH engine created by doh_dispatcher_new(). /// /// # Safety /// /// `doh` must be a non-null pointer previously created by `doh_dispatcher_new()` /// and not yet deleted by `doh_dispatcher_delete()`. #[no_mangle] pub unsafe extern "C" fn doh_dispatcher_delete(doh: *mut DohDispatcher) { Box::from_raw(doh).lock().exit_handler() // SAFETY: The caller guarantees that `doh` was created by `doh_dispatcher_new` (which does so // using `Box::into_raw`), and that it hasn't yet been deleted by this function. unsafe { Box::from_raw(doh) }.lock().exit_handler() } /// Probes and stores the DoH server with the given configurations. Loading @@ -194,12 +204,15 @@ pub unsafe extern "C" fn doh_net_new( network_type: uint32_t, private_dns_mode: uint32_t, ) -> int32_t { let (url, domain, ip_addr, cert_path) = match ( // SAFETY: The caller guarantees that these are all valid nul-terminated C strings. let (url, domain, ip_addr, cert_path) = match unsafe { ( std::ffi::CStr::from_ptr(url).to_str(), std::ffi::CStr::from_ptr(domain).to_str(), std::ffi::CStr::from_ptr(ip_addr).to_str(), std::ffi::CStr::from_ptr(cert_path).to_str(), ) { ) } { (Ok(url), Ok(domain), Ok(ip_addr), Ok(cert_path)) => { if domain.is_empty() { (url, None, ip_addr.to_string(), None) Loading Loading @@ -268,7 +281,9 @@ pub unsafe extern "C" fn doh_query( response_len: size_t, timeout_ms: uint64_t, ) -> ssize_t { let q = slice::from_raw_parts_mut(dns_query, dns_query_len); // SAFETY: The caller guarantees that `dns_query` is a valid pointer to a buffer of at least // `dns_query_len` items. let q = unsafe { slice::from_raw_parts_mut(dns_query, dns_query_len) }; let (resp_tx, resp_rx) = oneshot::channel(); let t = Duration::from_millis(timeout_ms); Loading Loading @@ -298,7 +313,10 @@ pub unsafe extern "C" fn doh_query( if answer.len() > response_len || answer.len() > isize::MAX as usize { return DOH_RESULT_INTERNAL_ERROR; } let response = slice::from_raw_parts_mut(response, answer.len()); // SAFETY: The caller guarantees that response points to a valid buffer at // least `response_len` long, and we just checked that `answer.len()` is no // longer than `response_len`. let response = unsafe { slice::from_raw_parts_mut(response, answer.len()) }; response.copy_from_slice(&answer); answer.len() as ssize_t } Loading Loading @@ -341,25 +359,27 @@ mod tests { const LOOPBACK_ADDR: &str = "127.0.0.1:443"; const LOCALHOST_URL: &str = "https://mylocal.com/dns-query"; extern "C" fn success_cb( unsafe extern "C" fn success_cb( net_id: uint32_t, success: bool, ip_addr: *const c_char, host: *const c_char, ) { assert!(success); // SAFETY: The caller guarantees that ip_addr and host are valid nul-terminated C strings. unsafe { assert_validation_info(net_id, ip_addr, host); } } extern "C" fn fail_cb( unsafe extern "C" fn fail_cb( net_id: uint32_t, success: bool, ip_addr: *const c_char, host: *const c_char, ) { assert!(!success); // SAFETY: The caller guarantees that ip_addr and host are valid nul-terminated C strings. unsafe { assert_validation_info(net_id, ip_addr, host); } Loading @@ -373,10 +393,12 @@ mod tests { host: *const c_char, ) { assert_eq!(net_id, TEST_NET_ID); let ip_addr = std::ffi::CStr::from_ptr(ip_addr).to_str().unwrap(); // SAFETY: The caller guarantees that `ip_addr` is a valid nul-terminated C string. let ip_addr = unsafe { std::ffi::CStr::from_ptr(ip_addr) }.to_str().unwrap(); let expected_addr: SocketAddr = LOOPBACK_ADDR.parse().unwrap(); assert_eq!(ip_addr, expected_addr.ip().to_string()); let host = std::ffi::CStr::from_ptr(host).to_str().unwrap(); // SAFETY: The caller guarantees that `host` is a valid nul-terminated C string. let host = unsafe { std::ffi::CStr::from_ptr(host) }.to_str().unwrap(); assert_eq!(host, ""); } Loading
