1998-09-10 06:07:59 +02:00
|
|
|
/*-------------------------------------------------------------------------
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
1999-02-14 00:22:53 +01:00
|
|
|
* pqcomm.c
|
1996-07-09 08:22:35 +02:00
|
|
|
* Communication functions between the Frontend and the Backend
|
|
|
|
|
*
|
1999-04-25 05:19:27 +02:00
|
|
|
* These routines handle the low-level details of communication between
|
|
|
|
|
* frontend and backend. They just shove data across the communication
|
2021-03-04 09:45:55 +01:00
|
|
|
* channel, and are ignorant of the semantics of the data.
|
1999-04-25 05:19:27 +02:00
|
|
|
*
|
2021-03-04 09:45:55 +01:00
|
|
|
* To emit an outgoing message, use the routines in pqformat.c to construct
|
|
|
|
|
* the message in a buffer and then emit it in one call to pq_putmessage.
|
|
|
|
|
* There are no functions to send raw bytes or partial messages; this
|
|
|
|
|
* ensures that the channel will not be clogged by an incomplete message if
|
|
|
|
|
* execution is aborted by ereport(ERROR) partway through the message.
|
1999-04-25 05:19:27 +02:00
|
|
|
*
|
|
|
|
|
* At one time, libpq was shared between frontend and backend, but now
|
|
|
|
|
* the backend's "backend/libpq" is quite separate from "interfaces/libpq".
|
|
|
|
|
* All that remains is similarities of names to trap the unwary...
|
|
|
|
|
*
|
2022-01-08 01:04:57 +01:00
|
|
|
* Portions Copyright (c) 1996-2022, PostgreSQL Global Development Group
|
2000-01-26 06:58:53 +01:00
|
|
|
* Portions Copyright (c) 1994, Regents of the University of California
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
2010-09-20 22:08:53 +02:00
|
|
|
* src/backend/libpq/pqcomm.c
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
|
|
|
|
*-------------------------------------------------------------------------
|
|
|
|
|
*/
|
1999-04-25 05:19:27 +02:00
|
|
|
|
|
|
|
|
/*------------------------
|
1996-07-09 08:22:35 +02:00
|
|
|
* INTERFACE ROUTINES
|
|
|
|
|
*
|
1999-04-25 05:19:27 +02:00
|
|
|
* setup/teardown:
|
|
|
|
|
* StreamServerPort - Open postmaster's server port
|
1999-01-23 23:27:29 +01:00
|
|
|
* StreamConnection - Create new connection with client
|
|
|
|
|
* StreamClose - Close a client/backend connection
|
2012-08-10 23:26:44 +02:00
|
|
|
* TouchSocketFiles - Protect socket files against /tmp cleaners
|
1999-04-25 05:19:27 +02:00
|
|
|
* pq_init - initialize libpq at backend startup
|
2019-08-05 05:14:58 +02:00
|
|
|
* socket_comm_reset - reset libpq during error recovery
|
|
|
|
|
* socket_close - shutdown libpq at backend exit
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
1999-04-25 05:19:27 +02:00
|
|
|
* low-level I/O:
|
|
|
|
|
* pq_getbytes - get a known number of bytes from connection
|
2003-04-19 02:02:30 +02:00
|
|
|
* pq_getmessage - get a message with length word from connection
|
2001-12-04 20:40:17 +01:00
|
|
|
* pq_getbyte - get next byte from connection
|
1999-04-25 05:19:27 +02:00
|
|
|
* pq_peekbyte - peek at next byte from connection
|
|
|
|
|
* pq_flush - flush pending output
|
2011-03-30 09:10:32 +02:00
|
|
|
* pq_flush_if_writable - flush pending output if writable without blocking
|
2010-01-15 10:19:10 +01:00
|
|
|
* pq_getbyte_if_available - get a byte if available without blocking
|
1999-04-25 05:19:27 +02:00
|
|
|
*
|
2021-03-04 09:45:55 +01:00
|
|
|
* message-level I/O
|
1999-04-25 05:19:27 +02:00
|
|
|
* pq_putmessage - send a normal message (suppressed in COPY OUT mode)
|
2011-03-30 09:10:32 +02:00
|
|
|
* pq_putmessage_noblock - buffer a normal message (suppressed in COPY OUT)
|
1999-04-25 05:19:27 +02:00
|
|
|
*
|
|
|
|
|
*------------------------
|
1996-07-09 08:22:35 +02:00
|
|
|
*/
|
2000-09-27 17:17:57 +02:00
|
|
|
#include "postgres.h"
|
|
|
|
|
|
2021-04-02 21:52:30 +02:00
|
|
|
#ifdef HAVE_POLL_H
|
|
|
|
|
#include <poll.h>
|
|
|
|
|
#endif
|
1996-12-26 23:08:34 +01:00
|
|
|
#include <signal.h>
|
1996-11-06 09:48:33 +01:00
|
|
|
#include <fcntl.h>
|
2000-11-01 22:14:03 +01:00
|
|
|
#include <grp.h>
|
1999-07-16 05:14:30 +02:00
|
|
|
#include <unistd.h>
|
2003-01-25 06:19:47 +01:00
|
|
|
#include <sys/file.h>
|
1996-07-09 08:22:35 +02:00
|
|
|
#include <sys/socket.h>
|
2003-01-25 06:19:47 +01:00
|
|
|
#include <sys/stat.h>
|
|
|
|
|
#include <sys/time.h>
|
1996-07-09 08:22:35 +02:00
|
|
|
#include <netdb.h>
|
2003-01-14 23:52:57 +01:00
|
|
|
#include <netinet/in.h>
|
2000-09-27 17:17:57 +02:00
|
|
|
#ifdef HAVE_NETINET_TCP_H
|
|
|
|
|
#include <netinet/tcp.h>
|
|
|
|
|
#endif
|
2003-01-25 06:19:47 +01:00
|
|
|
#include <utime.h>
|
2017-04-11 15:21:25 +02:00
|
|
|
#ifdef _MSC_VER /* mstcpip.h is missing on mingw */
|
2010-07-08 12:20:14 +02:00
|
|
|
#include <mstcpip.h>
|
|
|
|
|
#endif
|
1996-07-09 08:22:35 +02:00
|
|
|
|
2016-09-02 12:49:59 +02:00
|
|
|
#include "common/ip.h"
|
1999-07-16 05:14:30 +02:00
|
|
|
#include "libpq/libpq.h"
|
1998-02-24 05:02:20 +01:00
|
|
|
#include "miscadmin.h"
|
2017-10-02 00:36:14 +02:00
|
|
|
#include "port/pg_bswap.h"
|
2002-05-05 02:03:29 +02:00
|
|
|
#include "storage/ipc.h"
|
2005-07-30 17:17:26 +02:00
|
|
|
#include "utils/guc.h"
|
2011-03-30 09:10:32 +02:00
|
|
|
#include "utils/memutils.h"
|
1999-07-17 01:12:39 +02:00
|
|
|
|
2017-06-28 18:30:16 +02:00
|
|
|
/*
|
|
|
|
|
* Cope with the various platform-specific ways to spell TCP keepalive socket
|
|
|
|
|
* options. This doesn't cover Windows, which as usual does its own thing.
|
|
|
|
|
*/
|
|
|
|
|
#if defined(TCP_KEEPIDLE)
|
|
|
|
|
/* TCP_KEEPIDLE is the name of this option on Linux and *BSD */
|
|
|
|
|
#define PG_TCP_KEEPALIVE_IDLE TCP_KEEPIDLE
|
|
|
|
|
#define PG_TCP_KEEPALIVE_IDLE_STR "TCP_KEEPIDLE"
|
|
|
|
|
#elif defined(TCP_KEEPALIVE_THRESHOLD)
|
|
|
|
|
/* TCP_KEEPALIVE_THRESHOLD is the name of this option on Solaris >= 11 */
|
|
|
|
|
#define PG_TCP_KEEPALIVE_IDLE TCP_KEEPALIVE_THRESHOLD
|
|
|
|
|
#define PG_TCP_KEEPALIVE_IDLE_STR "TCP_KEEPALIVE_THRESHOLD"
|
|
|
|
|
#elif defined(TCP_KEEPALIVE) && defined(__darwin__)
|
|
|
|
|
/* TCP_KEEPALIVE is the name of this option on macOS */
|
|
|
|
|
/* Caution: Solaris has this symbol but it means something different */
|
|
|
|
|
#define PG_TCP_KEEPALIVE_IDLE TCP_KEEPALIVE
|
|
|
|
|
#define PG_TCP_KEEPALIVE_IDLE_STR "TCP_KEEPALIVE"
|
|
|
|
|
#endif
|
|
|
|
|
|
2000-11-01 22:14:03 +01:00
|
|
|
/*
|
|
|
|
|
* Configuration options
|
|
|
|
|
*/
|
|
|
|
|
int Unix_socket_permissions;
|
|
|
|
|
char *Unix_socket_group;
|
|
|
|
|
|
2012-08-10 23:26:44 +02:00
|
|
|
/* Where the Unix socket files are (list of palloc'd strings) */
|
|
|
|
|
static List *sock_paths = NIL;
|
2004-09-26 02:26:28 +02:00
|
|
|
|
1999-01-23 23:27:29 +01:00
|
|
|
/*
|
2011-03-30 09:10:32 +02:00
|
|
|
* Buffers for low-level I/O.
|
|
|
|
|
*
|
|
|
|
|
* The receive buffer is fixed size. Send buffer is usually 8k, but can be
|
|
|
|
|
* enlarged by pq_putmessage_noblock() if the message doesn't fit otherwise.
|
1999-04-25 05:19:27 +02:00
|
|
|
*/
|
|
|
|
|
|
2011-03-30 09:10:32 +02:00
|
|
|
#define PQ_SEND_BUFFER_SIZE 8192
|
|
|
|
|
#define PQ_RECV_BUFFER_SIZE 8192
|
1999-04-25 05:19:27 +02:00
|
|
|
|
2011-03-30 09:10:32 +02:00
|
|
|
static char *PqSendBuffer;
|
|
|
|
|
static int PqSendBufferSize; /* Size send buffer */
|
1999-04-25 05:19:27 +02:00
|
|
|
static int PqSendPointer; /* Next index to store a byte in PqSendBuffer */
|
2011-03-30 09:10:32 +02:00
|
|
|
static int PqSendStart; /* Next index to send a byte in PqSendBuffer */
|
1999-04-25 05:19:27 +02:00
|
|
|
|
2011-03-30 09:10:32 +02:00
|
|
|
static char PqRecvBuffer[PQ_RECV_BUFFER_SIZE];
|
1999-04-25 05:19:27 +02:00
|
|
|
static int PqRecvPointer; /* Next index to read a byte from PqRecvBuffer */
|
|
|
|
|
static int PqRecvLength; /* End of data available in PqRecvBuffer */
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Message status
|
1999-01-23 23:27:29 +01:00
|
|
|
*/
|
Be more careful to not lose sync in the FE/BE protocol.
If any error occurred while we were in the middle of reading a protocol
message from the client, we could lose sync, and incorrectly try to
interpret a part of another message as a new protocol message. That will
usually lead to an "invalid frontend message" error that terminates the
connection. However, this is a security issue because an attacker might
be able to deliberately cause an error, inject a Query message in what's
supposed to be just user data, and have the server execute it.
We were quite careful to not have CHECK_FOR_INTERRUPTS() calls or other
operations that could ereport(ERROR) in the middle of processing a message,
but a query cancel interrupt or statement timeout could nevertheless cause
it to happen. Also, the V2 fastpath and COPY handling were not so careful.
It's very difficult to recover in the V2 COPY protocol, so we will just
terminate the connection on error. In practice, that's what happened
previously anyway, as we lost protocol sync.
To fix, add a new variable in pqcomm.c, PqCommReadingMsg, that is set
whenever we're in the middle of reading a message. When it's set, we cannot
safely ERROR out and continue running, because we might've read only part
of a message. PqCommReadingMsg acts somewhat similarly to critical sections
in that if an error occurs while it's set, the error handler will force the
connection to be terminated, as if the error was FATAL. It's not
implemented by promoting ERROR to FATAL in elog.c, like ERROR is promoted
to PANIC in critical sections, because we want to be able to use
PG_TRY/CATCH to recover and regain protocol sync. pq_getmessage() takes
advantage of that to prevent an OOM error from terminating the connection.
To prevent unnecessary connection terminations, add a holdoff mechanism
similar to HOLD/RESUME_INTERRUPTS() that can be used hold off query cancel
interrupts, but still allow die interrupts. The rules on which interrupts
are processed when are now a bit more complicated, so refactor
ProcessInterrupts() and the calls to it in signal handlers so that the
signal handlers always call it if ImmediateInterruptOK is set, and
ProcessInterrupts() can decide to not do anything if the other conditions
are not met.
Reported by Emil Lenngren. Patch reviewed by Noah Misch and Andres Freund.
Backpatch to all supported versions.
Security: CVE-2015-0244
2015-02-02 16:08:45 +01:00
|
|
|
static bool PqCommBusy; /* busy sending data to the client */
|
|
|
|
|
static bool PqCommReadingMsg; /* in the middle of reading a message */
|
1999-01-23 23:27:29 +01:00
|
|
|
|
|
|
|
|
|
2004-09-26 02:26:28 +02:00
|
|
|
/* Internal functions */
|
2014-10-31 17:02:40 +01:00
|
|
|
static void socket_comm_reset(void);
|
|
|
|
|
static void socket_close(int code, Datum arg);
|
|
|
|
|
static void socket_set_nonblocking(bool nonblocking);
|
|
|
|
|
static int socket_flush(void);
|
|
|
|
|
static int socket_flush_if_writable(void);
|
|
|
|
|
static bool socket_is_send_pending(void);
|
|
|
|
|
static int socket_putmessage(char msgtype, const char *s, size_t len);
|
|
|
|
|
static void socket_putmessage_noblock(char msgtype, const char *s, size_t len);
|
2004-09-26 02:26:28 +02:00
|
|
|
static int internal_putbytes(const char *s, size_t len);
|
|
|
|
|
static int internal_flush(void);
|
2005-10-15 04:49:52 +02:00
|
|
|
|
2004-09-26 02:26:28 +02:00
|
|
|
#ifdef HAVE_UNIX_SOCKETS
|
2020-01-31 11:50:32 +01:00
|
|
|
static int Lock_AF_UNIX(const char *unixSocketDir, const char *unixSocketPath);
|
|
|
|
|
static int Setup_AF_UNIX(const char *sock_path);
|
2004-09-26 02:26:28 +02:00
|
|
|
#endif /* HAVE_UNIX_SOCKETS */
|
|
|
|
|
|
2018-10-16 05:45:30 +02:00
|
|
|
static const PQcommMethods PqCommSocketMethods = {
|
2014-10-31 17:02:40 +01:00
|
|
|
socket_comm_reset,
|
|
|
|
|
socket_flush,
|
|
|
|
|
socket_flush_if_writable,
|
|
|
|
|
socket_is_send_pending,
|
|
|
|
|
socket_putmessage,
|
2021-03-04 09:45:55 +01:00
|
|
|
socket_putmessage_noblock
|
2014-10-31 17:02:40 +01:00
|
|
|
};
|
|
|
|
|
|
2018-10-16 05:45:30 +02:00
|
|
|
const PQcommMethods *PqCommMethods = &PqCommSocketMethods;
|
2014-12-05 01:47:06 +01:00
|
|
|
|
2016-03-21 12:58:18 +01:00
|
|
|
WaitEventSet *FeBeWaitSet;
|
2014-12-05 01:47:06 +01:00
|
|
|
|
2004-09-26 02:26:28 +02:00
|
|
|
|
1996-07-09 08:22:35 +02:00
|
|
|
/* --------------------------------
|
1999-04-25 05:19:27 +02:00
|
|
|
* pq_init - initialize libpq at backend startup
|
1996-07-09 08:22:35 +02:00
|
|
|
* --------------------------------
|
|
|
|
|
*/
|
|
|
|
|
void
|
1999-04-25 05:19:27 +02:00
|
|
|
pq_init(void)
|
1996-07-09 08:22:35 +02:00
|
|
|
{
|
2021-03-01 03:16:56 +01:00
|
|
|
int socket_pos PG_USED_FOR_ASSERTS_ONLY;
|
|
|
|
|
int latch_pos PG_USED_FOR_ASSERTS_ONLY;
|
|
|
|
|
|
2015-08-02 20:54:44 +02:00
|
|
|
/* initialize state variables */
|
2011-03-30 09:10:32 +02:00
|
|
|
PqSendBufferSize = PQ_SEND_BUFFER_SIZE;
|
|
|
|
|
PqSendBuffer = MemoryContextAlloc(TopMemoryContext, PqSendBufferSize);
|
|
|
|
|
PqSendPointer = PqSendStart = PqRecvPointer = PqRecvLength = 0;
|
2004-09-26 02:26:28 +02:00
|
|
|
PqCommBusy = false;
|
Be more careful to not lose sync in the FE/BE protocol.
If any error occurred while we were in the middle of reading a protocol
message from the client, we could lose sync, and incorrectly try to
interpret a part of another message as a new protocol message. That will
usually lead to an "invalid frontend message" error that terminates the
connection. However, this is a security issue because an attacker might
be able to deliberately cause an error, inject a Query message in what's
supposed to be just user data, and have the server execute it.
We were quite careful to not have CHECK_FOR_INTERRUPTS() calls or other
operations that could ereport(ERROR) in the middle of processing a message,
but a query cancel interrupt or statement timeout could nevertheless cause
it to happen. Also, the V2 fastpath and COPY handling were not so careful.
It's very difficult to recover in the V2 COPY protocol, so we will just
terminate the connection on error. In practice, that's what happened
previously anyway, as we lost protocol sync.
To fix, add a new variable in pqcomm.c, PqCommReadingMsg, that is set
whenever we're in the middle of reading a message. When it's set, we cannot
safely ERROR out and continue running, because we might've read only part
of a message. PqCommReadingMsg acts somewhat similarly to critical sections
in that if an error occurs while it's set, the error handler will force the
connection to be terminated, as if the error was FATAL. It's not
implemented by promoting ERROR to FATAL in elog.c, like ERROR is promoted
to PANIC in critical sections, because we want to be able to use
PG_TRY/CATCH to recover and regain protocol sync. pq_getmessage() takes
advantage of that to prevent an OOM error from terminating the connection.
To prevent unnecessary connection terminations, add a holdoff mechanism
similar to HOLD/RESUME_INTERRUPTS() that can be used hold off query cancel
interrupts, but still allow die interrupts. The rules on which interrupts
are processed when are now a bit more complicated, so refactor
ProcessInterrupts() and the calls to it in signal handlers so that the
signal handlers always call it if ImmediateInterruptOK is set, and
ProcessInterrupts() can decide to not do anything if the other conditions
are not met.
Reported by Emil Lenngren. Patch reviewed by Noah Misch and Andres Freund.
Backpatch to all supported versions.
Security: CVE-2015-0244
2015-02-02 16:08:45 +01:00
|
|
|
PqCommReadingMsg = false;
|
2015-08-02 20:54:44 +02:00
|
|
|
|
|
|
|
|
/* set up process-exit hook to close the socket */
|
2014-10-31 17:02:40 +01:00
|
|
|
on_proc_exit(socket_close, 0);
|
2015-02-03 22:03:48 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* In backends (as soon as forked) we operate the underlying socket in
|
|
|
|
|
* nonblocking mode and use latches to implement blocking semantics if
|
2015-02-13 20:46:14 +01:00
|
|
|
* needed. That allows us to provide safely interruptible reads and
|
|
|
|
|
* writes.
|
2015-02-03 22:03:48 +01:00
|
|
|
*
|
|
|
|
|
* Use COMMERROR on failure, because ERROR would try to send the error to
|
|
|
|
|
* the client, which might require changing the mode again, leading to
|
|
|
|
|
* infinite recursion.
|
|
|
|
|
*/
|
|
|
|
|
#ifndef WIN32
|
|
|
|
|
if (!pg_set_noblock(MyProcPort->sock))
|
|
|
|
|
ereport(COMMERROR,
|
|
|
|
|
(errmsg("could not set socket to nonblocking mode: %m")));
|
|
|
|
|
#endif
|
|
|
|
|
|
2022-02-14 04:29:44 +01:00
|
|
|
FeBeWaitSet = CreateWaitEventSet(TopMemoryContext, FeBeWaitSetNEvents);
|
2021-03-01 03:16:56 +01:00
|
|
|
socket_pos = AddWaitEventToSet(FeBeWaitSet, WL_SOCKET_WRITEABLE,
|
|
|
|
|
MyProcPort->sock, NULL, NULL);
|
|
|
|
|
latch_pos = AddWaitEventToSet(FeBeWaitSet, WL_LATCH_SET, PGINVALID_SOCKET,
|
|
|
|
|
MyLatch, NULL);
|
|
|
|
|
AddWaitEventToSet(FeBeWaitSet, WL_POSTMASTER_DEATH, PGINVALID_SOCKET,
|
Introduce WaitEventSet API.
Commit ac1d794 ("Make idle backends exit if the postmaster dies.")
introduced a regression on, at least, large linux systems. Constantly
adding the same postmaster_alive_fds to the OSs internal datastructures
for implementing poll/select can cause significant contention; leading
to a performance regression of nearly 3x in one example.
This can be avoided by using e.g. linux' epoll, which avoids having to
add/remove file descriptors to the wait datastructures at a high rate.
Unfortunately the current latch interface makes it hard to allocate any
persistent per-backend resources.
Replace, with a backward compatibility layer, WaitLatchOrSocket with a
new WaitEventSet API. Users can allocate such a Set across multiple
calls, and add more than one file-descriptor to wait on. The latter has
been added because there's upcoming postgres features where that will be
helpful.
In addition to the previously existing poll(2), select(2),
WaitForMultipleObjects() implementations also provide an epoll_wait(2)
based implementation to address the aforementioned performance
problem. Epoll is only available on linux, but that is the most likely
OS for machines large enough (four sockets) to reproduce the problem.
To actually address the aforementioned regression, create and use a
long-lived WaitEventSet for FE/BE communication. There are additional
places that would benefit from a long-lived set, but that's a task for
another day.
Thanks to Amit Kapila, who helped make the windows code I blindly wrote
actually work.
Reported-By: Dmitry Vasilyev Discussion:
CAB-SwXZh44_2ybvS5Z67p_CDz=XFn4hNAD=CnMEF+QqkXwFrGg@mail.gmail.com
20160114143931.GG10941@awork2.anarazel.de
2016-03-21 09:56:39 +01:00
|
|
|
NULL, NULL);
|
2021-03-01 03:16:56 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The event positions match the order we added them, but let's sanity
|
|
|
|
|
* check them to be sure.
|
|
|
|
|
*/
|
|
|
|
|
Assert(socket_pos == FeBeWaitSetSocketPos);
|
|
|
|
|
Assert(latch_pos == FeBeWaitSetLatchPos);
|
1996-07-09 08:22:35 +02:00
|
|
|
}
|
|
|
|
|
|
2004-09-26 02:26:28 +02:00
|
|
|
/* --------------------------------
|
2014-10-31 17:02:40 +01:00
|
|
|
* socket_comm_reset - reset libpq during error recovery
|
2004-09-26 02:26:28 +02:00
|
|
|
*
|
|
|
|
|
* This is called from error recovery at the outer idle loop. It's
|
|
|
|
|
* just to get us out of trouble if we somehow manage to elog() from
|
|
|
|
|
* inside a pqcomm.c routine (which ideally will never happen, but...)
|
|
|
|
|
* --------------------------------
|
|
|
|
|
*/
|
2014-10-31 17:02:40 +01:00
|
|
|
static void
|
|
|
|
|
socket_comm_reset(void)
|
2004-09-26 02:26:28 +02:00
|
|
|
{
|
|
|
|
|
/* Do not throw away pending data, but do reset the busy flag */
|
|
|
|
|
PqCommBusy = false;
|
|
|
|
|
}
|
1996-07-09 08:22:35 +02:00
|
|
|
|
|
|
|
|
/* --------------------------------
|
2014-10-31 17:02:40 +01:00
|
|
|
* socket_close - shutdown libpq at backend exit
|
1999-07-23 05:00:10 +02:00
|
|
|
*
|
2015-05-18 16:02:31 +02:00
|
|
|
* This is the one pg_on_exit_callback in place during BackendInitialize().
|
|
|
|
|
* That function's unusual signal handling constrains that this callback be
|
|
|
|
|
* safe to run at any instant.
|
1996-07-09 08:22:35 +02:00
|
|
|
* --------------------------------
|
|
|
|
|
*/
|
2000-12-18 01:44:50 +01:00
|
|
|
static void
|
2014-10-31 17:02:40 +01:00
|
|
|
socket_close(int code, Datum arg)
|
1996-07-09 08:22:35 +02:00
|
|
|
{
|
2015-05-18 16:02:31 +02:00
|
|
|
/* Nothing to do in a standalone backend, where MyProcPort is NULL. */
|
1999-07-23 05:00:10 +02:00
|
|
|
if (MyProcPort != NULL)
|
2000-05-26 03:26:19 +02:00
|
|
|
{
|
2007-07-10 15:14:22 +02:00
|
|
|
#ifdef ENABLE_GSS
|
2015-05-18 16:02:31 +02:00
|
|
|
/*
|
|
|
|
|
* Shutdown GSSAPI layer. This section does nothing when interrupting
|
|
|
|
|
* BackendInitialize(), because pg_GSS_recvauth() makes first use of
|
|
|
|
|
* "ctx" and "cred".
|
2020-12-28 23:44:17 +01:00
|
|
|
*
|
|
|
|
|
* Note that we don't bother to free MyProcPort->gss, since we're
|
|
|
|
|
* about to exit anyway.
|
2015-05-18 16:02:31 +02:00
|
|
|
*/
|
2020-12-28 23:44:17 +01:00
|
|
|
if (MyProcPort->gss)
|
|
|
|
|
{
|
|
|
|
|
OM_uint32 min_s;
|
2007-07-10 15:14:22 +02:00
|
|
|
|
2020-12-28 23:44:17 +01:00
|
|
|
if (MyProcPort->gss->ctx != GSS_C_NO_CONTEXT)
|
|
|
|
|
gss_delete_sec_context(&min_s, &MyProcPort->gss->ctx, NULL);
|
2007-07-23 12:16:54 +02:00
|
|
|
|
2020-12-28 23:44:17 +01:00
|
|
|
if (MyProcPort->gss->cred != GSS_C_NO_CREDENTIAL)
|
|
|
|
|
gss_release_cred(&min_s, &MyProcPort->gss->cred);
|
|
|
|
|
}
|
|
|
|
|
#endif /* ENABLE_GSS */
|
2007-07-10 15:14:22 +02:00
|
|
|
|
2015-05-18 16:02:31 +02:00
|
|
|
/*
|
|
|
|
|
* Cleanly shut down SSL layer. Nowhere else does a postmaster child
|
|
|
|
|
* call this, so this is safe when interrupting BackendInitialize().
|
|
|
|
|
*/
|
UPDATED PATCH:
Attached are a revised set of SSL patches. Many of these patches
are motivated by security concerns, it's not just bug fixes. The key
differences (from stock 7.2.1) are:
*) almost all code that directly uses the OpenSSL library is in two
new files,
src/interfaces/libpq/fe-ssl.c
src/backend/postmaster/be-ssl.c
in the long run, it would be nice to merge these two files.
*) the legacy code to read and write network data have been
encapsulated into read_SSL() and write_SSL(). These functions
should probably be renamed - they handle both SSL and non-SSL
cases.
the remaining code should eliminate the problems identified
earlier, albeit not very cleanly.
*) both front- and back-ends will send a SSL shutdown via the
new close_SSL() function. This is necessary for sessions to
work properly.
(Sessions are not yet fully supported, but by cleanly closing
the SSL connection instead of just sending a TCP FIN packet
other SSL tools will be much happier.)
*) The client certificate and key are now expected in a subdirectory
of the user's home directory. Specifically,
- the directory .postgresql must be owned by the user, and
allow no access by 'group' or 'other.'
- the file .postgresql/postgresql.crt must be a regular file
owned by the user.
- the file .postgresql/postgresql.key must be a regular file
owned by the user, and allow no access by 'group' or 'other'.
At the current time encrypted private keys are not supported.
There should also be a way to support multiple client certs/keys.
*) the front-end performs minimal validation of the back-end cert.
Self-signed certs are permitted, but the common name *must*
match the hostname used by the front-end. (The cert itself
should always use a fully qualified domain name (FDQN) in its
common name field.)
This means that
psql -h eris db
will fail, but
psql -h eris.example.com db
will succeed. At the current time this must be an exact match;
future patches may support any FQDN that resolves to the address
returned by getpeername(2).
Another common "problem" is expiring certs. For now, it may be
a good idea to use a very-long-lived self-signed cert.
As a compile-time option, the front-end can specify a file
containing valid root certificates, but it is not yet required.
*) the back-end performs minimal validation of the client cert.
It allows self-signed certs. It checks for expiration. It
supports a compile-time option specifying a file containing
valid root certificates.
*) both front- and back-ends default to TLSv1, not SSLv3/SSLv2.
*) both front- and back-ends support DSA keys. DSA keys are
moderately more expensive on startup, but many people consider
them preferable than RSA keys. (E.g., SSH2 prefers DSA keys.)
*) if /dev/urandom exists, both client and server will read 16k
of randomization data from it.
*) the server can read empheral DH parameters from the files
$DataDir/dh512.pem
$DataDir/dh1024.pem
$DataDir/dh2048.pem
$DataDir/dh4096.pem
if none are provided, the server will default to hardcoded
parameter files provided by the OpenSSL project.
Remaining tasks:
*) the select() clauses need to be revisited - the SSL abstraction
layer may need to absorb more of the current code to avoid rare
deadlock conditions. This also touches on a true solution to
the pg_eof() problem.
*) the SIGPIPE signal handler may need to be revisited.
*) support encrypted private keys.
*) sessions are not yet fully supported. (SSL sessions can span
multiple "connections," and allow the client and server to avoid
costly renegotiations.)
*) makecert - a script that creates back-end certs.
*) pgkeygen - a tool that creates front-end certs.
*) the whole protocol issue, SASL, etc.
*) certs are fully validated - valid root certs must be available.
This is a hassle, but it means that you *can* trust the identity
of the server.
*) the client library can handle hardcoded root certificates, to
avoid the need to copy these files.
*) host name of server cert must resolve to IP address, or be a
recognized alias. This is more liberal than the previous
iteration.
*) the number of bytes transferred is tracked, and the session
key is periodically renegotiated.
*) basic cert generation scripts (mkcert.sh, pgkeygen.sh). The
configuration files have reasonable defaults for each type
of use.
Bear Giles
2002-06-14 06:23:17 +02:00
|
|
|
secure_close(MyProcPort);
|
2003-08-04 02:43:34 +02:00
|
|
|
|
2003-05-29 21:15:34 +02:00
|
|
|
/*
|
2021-12-02 23:14:43 +01:00
|
|
|
* On most platforms, we leave the socket open until the process dies.
|
|
|
|
|
* This allows clients to perform a "synchronous close" if they care
|
|
|
|
|
* --- wait till the transport layer reports connection closure, and
|
|
|
|
|
* you can be sure the backend has exited. Saves a kernel call, too.
|
2003-05-29 21:15:34 +02:00
|
|
|
*
|
2021-12-02 23:14:43 +01:00
|
|
|
* However, that does not work on Windows: if the kernel closes the
|
|
|
|
|
* socket it will invoke an "abortive shutdown" that discards any data
|
|
|
|
|
* not yet sent to the client. (This is a flat-out violation of the
|
|
|
|
|
* TCP RFCs, but count on Microsoft not to care about that.) To get
|
|
|
|
|
* the spec-compliant "graceful shutdown" behavior, we must invoke
|
2021-12-07 19:34:06 +01:00
|
|
|
* closesocket() explicitly. When using OpenSSL, it seems that clean
|
|
|
|
|
* shutdown also requires an explicit shutdown() call.
|
2021-12-02 23:14:43 +01:00
|
|
|
*
|
|
|
|
|
* This code runs late enough during process shutdown that we should
|
|
|
|
|
* have finished all externally-visible shutdown activities, so that
|
|
|
|
|
* in principle it's good enough to act as a synchronous close on
|
|
|
|
|
* Windows too. But it's a lot more fragile than the other way.
|
2003-05-29 21:15:34 +02:00
|
|
|
*/
|
2021-12-02 23:14:43 +01:00
|
|
|
#ifdef WIN32
|
2021-12-07 19:34:06 +01:00
|
|
|
shutdown(MyProcPort->sock, SD_SEND);
|
2021-12-02 23:14:43 +01:00
|
|
|
closesocket(MyProcPort->sock);
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* In any case, set sock to PGINVALID_SOCKET to prevent further I/O */
|
2010-01-10 15:16:08 +01:00
|
|
|
MyProcPort->sock = PGINVALID_SOCKET;
|
2000-05-26 03:26:19 +02:00
|
|
|
}
|
1996-07-09 08:22:35 +02:00
|
|
|
}
|
|
|
|
|
|
1998-06-16 09:29:54 +02:00
|
|
|
|
1996-07-09 08:22:35 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Streams -- wrapper around Unix socket system calls
|
|
|
|
|
*
|
|
|
|
|
*
|
|
|
|
|
* Stream functions are used for vanilla TCP connection protocol.
|
|
|
|
|
*/
|
|
|
|
|
|
1999-01-12 13:49:52 +01:00
|
|
|
|
1996-07-09 08:22:35 +02:00
|
|
|
/*
|
2003-07-24 01:30:41 +02:00
|
|
|
* StreamServerPort -- open a "listening" port to accept connections.
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
2012-08-10 23:26:44 +02:00
|
|
|
* family should be AF_UNIX or AF_UNSPEC; portNumber is the port number.
|
|
|
|
|
* For AF_UNIX ports, hostName should be NULL and unixSocketDir must be
|
|
|
|
|
* specified. For TCP ports, hostName is either NULL for all interfaces or
|
|
|
|
|
* the interface to listen on, and unixSocketDir is ignored (can be NULL).
|
|
|
|
|
*
|
|
|
|
|
* Successfully opened sockets are added to the ListenSocket[] array (of
|
|
|
|
|
* length MaxListen), at the first position that isn't PGINVALID_SOCKET.
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
|
|
|
|
* RETURNS: STATUS_OK or STATUS_ERROR
|
|
|
|
|
*/
|
1997-11-07 21:52:15 +01:00
|
|
|
|
1996-07-09 08:22:35 +02:00
|
|
|
int
|
2020-01-31 11:50:32 +01:00
|
|
|
StreamServerPort(int family, const char *hostName, unsigned short portNumber,
|
|
|
|
|
const char *unixSocketDir,
|
2010-01-10 15:16:08 +01:00
|
|
|
pgsocket ListenSocket[], int MaxListen)
|
1996-07-09 08:22:35 +02:00
|
|
|
{
|
2010-01-10 15:16:08 +01:00
|
|
|
pgsocket fd;
|
|
|
|
|
int err;
|
2002-12-06 05:37:05 +01:00
|
|
|
int maxconn;
|
2003-01-06 04:18:27 +01:00
|
|
|
int ret;
|
2003-08-13 00:42:01 +02:00
|
|
|
char portNumberStr[32];
|
|
|
|
|
const char *familyDesc;
|
|
|
|
|
char familyDescBuf[64];
|
2017-03-10 22:32:18 +01:00
|
|
|
const char *addrDesc;
|
|
|
|
|
char addrBuf[NI_MAXHOST];
|
2003-06-12 09:36:51 +02:00
|
|
|
char *service;
|
|
|
|
|
struct addrinfo *addrs = NULL,
|
|
|
|
|
*addr;
|
|
|
|
|
struct addrinfo hint;
|
|
|
|
|
int listen_index = 0;
|
|
|
|
|
int added = 0;
|
2022-02-08 21:52:40 +01:00
|
|
|
int max_backends = GetMaxBackends();
|
2007-11-15 22:14:46 +01:00
|
|
|
|
2012-08-10 23:26:44 +02:00
|
|
|
#ifdef HAVE_UNIX_SOCKETS
|
|
|
|
|
char unixSocketPath[MAXPGPATH];
|
|
|
|
|
#endif
|
2007-07-24 13:16:36 +02:00
|
|
|
#if !defined(WIN32) || defined(IPV6_V6ONLY)
|
|
|
|
|
int one = 1;
|
|
|
|
|
#endif
|
2003-01-06 04:18:27 +01:00
|
|
|
|
|
|
|
|
/* Initialize hint structure */
|
|
|
|
|
MemSet(&hint, 0, sizeof(hint));
|
|
|
|
|
hint.ai_family = family;
|
2003-07-24 01:30:41 +02:00
|
|
|
hint.ai_flags = AI_PASSIVE;
|
2003-01-06 04:18:27 +01:00
|
|
|
hint.ai_socktype = SOCK_STREAM;
|
2000-10-03 05:11:26 +02:00
|
|
|
|
2000-10-05 22:18:33 +02:00
|
|
|
#ifdef HAVE_UNIX_SOCKETS
|
2002-12-06 05:37:05 +01:00
|
|
|
if (family == AF_UNIX)
|
|
|
|
|
{
|
2012-08-10 23:26:44 +02:00
|
|
|
/*
|
|
|
|
|
* Create unixSocketPath from portNumber and unixSocketDir and lock
|
|
|
|
|
* that file path
|
|
|
|
|
*/
|
|
|
|
|
UNIXSOCK_PATH(unixSocketPath, portNumber, unixSocketDir);
|
2012-11-30 01:57:01 +01:00
|
|
|
if (strlen(unixSocketPath) >= UNIXSOCK_PATH_BUFLEN)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("Unix-domain socket path \"%s\" is too long (maximum %d bytes)",
|
|
|
|
|
unixSocketPath,
|
|
|
|
|
(int) (UNIXSOCK_PATH_BUFLEN - 1))));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2012-08-10 23:26:44 +02:00
|
|
|
if (Lock_AF_UNIX(unixSocketDir, unixSocketPath) != STATUS_OK)
|
2003-01-06 04:18:27 +01:00
|
|
|
return STATUS_ERROR;
|
2012-08-10 23:26:44 +02:00
|
|
|
service = unixSocketPath;
|
2002-12-06 05:37:05 +01:00
|
|
|
}
|
2003-01-06 04:18:27 +01:00
|
|
|
else
|
2000-10-05 22:18:33 +02:00
|
|
|
#endif /* HAVE_UNIX_SOCKETS */
|
2003-01-06 04:18:27 +01:00
|
|
|
{
|
|
|
|
|
snprintf(portNumberStr, sizeof(portNumberStr), "%d", portNumber);
|
|
|
|
|
service = portNumberStr;
|
|
|
|
|
}
|
2003-04-25 03:24:00 +02:00
|
|
|
|
2005-10-17 18:24:20 +02:00
|
|
|
ret = pg_getaddrinfo_all(hostName, service, &hint, &addrs);
|
2003-07-24 01:30:41 +02:00
|
|
|
if (ret || !addrs)
|
2003-01-06 04:18:27 +01:00
|
|
|
{
|
2003-07-24 01:30:41 +02:00
|
|
|
if (hostName)
|
|
|
|
|
ereport(LOG,
|
2003-09-25 08:58:07 +02:00
|
|
|
(errmsg("could not translate host name \"%s\", service \"%s\" to address: %s",
|
2003-07-24 01:30:41 +02:00
|
|
|
hostName, service, gai_strerror(ret))));
|
|
|
|
|
else
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not translate service \"%s\" to address: %s",
|
|
|
|
|
service, gai_strerror(ret))));
|
2004-05-26 20:35:51 +02:00
|
|
|
if (addrs)
|
2005-10-17 18:24:20 +02:00
|
|
|
pg_freeaddrinfo_all(hint.ai_family, addrs);
|
2003-01-06 04:18:27 +01:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2000-10-03 05:11:26 +02:00
|
|
|
|
2003-06-12 09:36:51 +02:00
|
|
|
for (addr = addrs; addr; addr = addr->ai_next)
|
2002-12-06 05:37:05 +01:00
|
|
|
{
|
2022-02-15 10:03:52 +01:00
|
|
|
if (family != AF_UNIX && addr->ai_family == AF_UNIX)
|
2003-06-12 09:36:51 +02:00
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Only set up a unix domain socket when they really asked for it.
|
2003-07-24 01:30:41 +02:00
|
|
|
* The service/port is different in that case.
|
|
|
|
|
*/
|
2003-06-12 09:36:51 +02:00
|
|
|
continue;
|
|
|
|
|
}
|
2002-12-06 05:37:05 +01:00
|
|
|
|
2003-06-12 09:36:51 +02:00
|
|
|
/* See if there is still room to add 1 more socket. */
|
|
|
|
|
for (; listen_index < MaxListen; listen_index++)
|
|
|
|
|
{
|
2010-01-10 15:16:08 +01:00
|
|
|
if (ListenSocket[listen_index] == PGINVALID_SOCKET)
|
2003-06-12 09:36:51 +02:00
|
|
|
break;
|
|
|
|
|
}
|
2003-07-24 01:30:41 +02:00
|
|
|
if (listen_index >= MaxListen)
|
2003-06-12 09:36:51 +02:00
|
|
|
{
|
2005-01-12 17:38:17 +01:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not bind to all requested addresses: MAXLISTEN (%d) exceeded",
|
|
|
|
|
MaxListen)));
|
2003-06-12 09:36:51 +02:00
|
|
|
break;
|
|
|
|
|
}
|
2003-07-24 01:30:41 +02:00
|
|
|
|
2017-03-10 22:32:18 +01:00
|
|
|
/* set up address family name for log messages */
|
2003-08-13 00:42:01 +02:00
|
|
|
switch (addr->ai_family)
|
|
|
|
|
{
|
|
|
|
|
case AF_INET:
|
2005-02-22 05:43:23 +01:00
|
|
|
familyDesc = _("IPv4");
|
2003-08-13 00:42:01 +02:00
|
|
|
break;
|
|
|
|
|
#ifdef HAVE_IPV6
|
|
|
|
|
case AF_INET6:
|
2005-02-22 05:43:23 +01:00
|
|
|
familyDesc = _("IPv6");
|
2003-08-13 00:42:01 +02:00
|
|
|
break;
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef HAVE_UNIX_SOCKETS
|
|
|
|
|
case AF_UNIX:
|
2005-02-22 05:43:23 +01:00
|
|
|
familyDesc = _("Unix");
|
2003-08-13 00:42:01 +02:00
|
|
|
break;
|
|
|
|
|
#endif
|
|
|
|
|
default:
|
|
|
|
|
snprintf(familyDescBuf, sizeof(familyDescBuf),
|
2005-02-22 05:43:23 +01:00
|
|
|
_("unrecognized address family %d"),
|
2003-08-13 00:42:01 +02:00
|
|
|
addr->ai_family);
|
|
|
|
|
familyDesc = familyDescBuf;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2017-03-10 22:32:18 +01:00
|
|
|
/* set up text form of address for log messages */
|
|
|
|
|
#ifdef HAVE_UNIX_SOCKETS
|
|
|
|
|
if (addr->ai_family == AF_UNIX)
|
|
|
|
|
addrDesc = unixSocketPath;
|
|
|
|
|
else
|
|
|
|
|
#endif
|
|
|
|
|
{
|
|
|
|
|
pg_getnameinfo_all((const struct sockaddr_storage *) addr->ai_addr,
|
|
|
|
|
addr->ai_addrlen,
|
|
|
|
|
addrBuf, sizeof(addrBuf),
|
|
|
|
|
NULL, 0,
|
|
|
|
|
NI_NUMERICHOST);
|
|
|
|
|
addrDesc = addrBuf;
|
|
|
|
|
}
|
|
|
|
|
|
2014-04-16 16:45:48 +02:00
|
|
|
if ((fd = socket(addr->ai_family, SOCK_STREAM, 0)) == PGINVALID_SOCKET)
|
2003-01-06 04:18:27 +01:00
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode_for_socket_access(),
|
2017-03-10 22:32:18 +01:00
|
|
|
/* translator: first %s is IPv4, IPv6, or Unix */
|
|
|
|
|
errmsg("could not create %s socket for address \"%s\": %m",
|
|
|
|
|
familyDesc, addrDesc)));
|
2003-06-12 09:36:51 +02:00
|
|
|
continue;
|
2002-12-06 05:37:05 +01:00
|
|
|
}
|
2000-10-03 05:11:26 +02:00
|
|
|
|
2007-06-04 13:59:20 +02:00
|
|
|
#ifndef WIN32
|
2007-11-15 22:14:46 +01:00
|
|
|
|
2007-06-04 13:59:20 +02:00
|
|
|
/*
|
|
|
|
|
* Without the SO_REUSEADDR flag, a new postmaster can't be started
|
|
|
|
|
* right away after a stop or crash, giving "address already in use"
|
|
|
|
|
* error on TCP ports.
|
|
|
|
|
*
|
|
|
|
|
* On win32, however, this behavior only happens if the
|
2019-08-13 06:53:41 +02:00
|
|
|
* SO_EXCLUSIVEADDRUSE is set. With SO_REUSEADDR, win32 allows
|
|
|
|
|
* multiple servers to listen on the same address, resulting in
|
|
|
|
|
* unpredictable behavior. With no flags at all, win32 behaves as Unix
|
|
|
|
|
* with SO_REUSEADDR.
|
2007-06-04 13:59:20 +02:00
|
|
|
*/
|
2022-02-15 10:03:52 +01:00
|
|
|
if (addr->ai_family != AF_UNIX)
|
2003-06-12 09:36:51 +02:00
|
|
|
{
|
|
|
|
|
if ((setsockopt(fd, SOL_SOCKET, SO_REUSEADDR,
|
|
|
|
|
(char *) &one, sizeof(one))) == -1)
|
|
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode_for_socket_access(),
|
2021-04-23 14:18:11 +02:00
|
|
|
/* translator: third %s is IPv4, IPv6, or Unix */
|
|
|
|
|
errmsg("%s(%s) failed for %s address \"%s\": %m",
|
|
|
|
|
"setsockopt", "SO_REUSEADDR",
|
2017-03-10 22:32:18 +01:00
|
|
|
familyDesc, addrDesc)));
|
2003-06-12 09:36:51 +02:00
|
|
|
closesocket(fd);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
}
|
2007-06-04 13:59:20 +02:00
|
|
|
#endif
|
2003-06-12 09:36:51 +02:00
|
|
|
|
|
|
|
|
#ifdef IPV6_V6ONLY
|
|
|
|
|
if (addr->ai_family == AF_INET6)
|
|
|
|
|
{
|
|
|
|
|
if (setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY,
|
|
|
|
|
(char *) &one, sizeof(one)) == -1)
|
|
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode_for_socket_access(),
|
2021-04-23 14:18:11 +02:00
|
|
|
/* translator: third %s is IPv4, IPv6, or Unix */
|
|
|
|
|
errmsg("%s(%s) failed for %s address \"%s\": %m",
|
|
|
|
|
"setsockopt", "IPV6_V6ONLY",
|
2017-03-10 22:32:18 +01:00
|
|
|
familyDesc, addrDesc)));
|
2003-06-12 09:36:51 +02:00
|
|
|
closesocket(fd);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Note: This might fail on some OS's, like Linux older than
|
|
|
|
|
* 2.4.21-pre3, that don't have the IPV6_V6ONLY socket option, and map
|
|
|
|
|
* ipv4 addresses to ipv6. It will show ::ffff:ipv4 for all ipv4
|
|
|
|
|
* connections.
|
|
|
|
|
*/
|
|
|
|
|
err = bind(fd, addr->ai_addr, addr->ai_addrlen);
|
|
|
|
|
if (err < 0)
|
|
|
|
|
{
|
2020-11-25 08:14:23 +01:00
|
|
|
int saved_errno = errno;
|
|
|
|
|
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode_for_socket_access(),
|
2017-03-10 22:32:18 +01:00
|
|
|
/* translator: first %s is IPv4, IPv6, or Unix */
|
|
|
|
|
errmsg("could not bind %s address \"%s\": %m",
|
|
|
|
|
familyDesc, addrDesc),
|
2020-11-25 08:14:23 +01:00
|
|
|
saved_errno == EADDRINUSE ?
|
2022-02-15 10:03:52 +01:00
|
|
|
(addr->ai_family == AF_UNIX ?
|
2020-11-25 08:14:23 +01:00
|
|
|
errhint("Is another postmaster already running on port %d?",
|
|
|
|
|
(int) portNumber) :
|
|
|
|
|
errhint("Is another postmaster already running on port %d?"
|
|
|
|
|
" If not, wait a few seconds and retry.",
|
|
|
|
|
(int) portNumber)) : 0));
|
2003-06-12 09:36:51 +02:00
|
|
|
closesocket(fd);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2000-10-05 22:18:33 +02:00
|
|
|
#ifdef HAVE_UNIX_SOCKETS
|
2003-06-12 09:36:51 +02:00
|
|
|
if (addr->ai_family == AF_UNIX)
|
2002-12-06 05:37:05 +01:00
|
|
|
{
|
2012-08-10 23:26:44 +02:00
|
|
|
if (Setup_AF_UNIX(service) != STATUS_OK)
|
2003-06-12 09:36:51 +02:00
|
|
|
{
|
|
|
|
|
closesocket(fd);
|
|
|
|
|
break;
|
|
|
|
|
}
|
2002-12-06 05:37:05 +01:00
|
|
|
}
|
2003-01-06 04:18:27 +01:00
|
|
|
#endif
|
2000-11-29 21:59:54 +01:00
|
|
|
|
2003-06-12 09:36:51 +02:00
|
|
|
/*
|
|
|
|
|
* Select appropriate accept-queue length limit. PG_SOMAXCONN is only
|
|
|
|
|
* intended to provide a clamp on the request on platforms where an
|
|
|
|
|
* overly large request provokes a kernel error (are there any?).
|
|
|
|
|
*/
|
2022-02-08 21:52:40 +01:00
|
|
|
maxconn = max_backends * 2;
|
2003-06-12 09:36:51 +02:00
|
|
|
if (maxconn > PG_SOMAXCONN)
|
|
|
|
|
maxconn = PG_SOMAXCONN;
|
|
|
|
|
|
|
|
|
|
err = listen(fd, maxconn);
|
|
|
|
|
if (err < 0)
|
|
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode_for_socket_access(),
|
2017-03-10 22:32:18 +01:00
|
|
|
/* translator: first %s is IPv4, IPv6, or Unix */
|
|
|
|
|
errmsg("could not listen on %s address \"%s\": %m",
|
|
|
|
|
familyDesc, addrDesc)));
|
2003-06-12 09:36:51 +02:00
|
|
|
closesocket(fd);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2017-03-10 22:32:18 +01:00
|
|
|
|
2017-03-14 18:18:27 +01:00
|
|
|
#ifdef HAVE_UNIX_SOCKETS
|
|
|
|
|
if (addr->ai_family == AF_UNIX)
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("listening on Unix socket \"%s\"",
|
|
|
|
|
addrDesc)));
|
|
|
|
|
else
|
|
|
|
|
#endif
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
/* translator: first %s is IPv4 or IPv6 */
|
|
|
|
|
(errmsg("listening on %s address \"%s\", port %d",
|
|
|
|
|
familyDesc, addrDesc, (int) portNumber)));
|
2017-03-10 22:32:18 +01:00
|
|
|
|
2003-06-12 09:36:51 +02:00
|
|
|
ListenSocket[listen_index] = fd;
|
|
|
|
|
added++;
|
|
|
|
|
}
|
2001-07-11 21:03:07 +02:00
|
|
|
|
2005-10-17 18:24:20 +02:00
|
|
|
pg_freeaddrinfo_all(hint.ai_family, addrs);
|
2003-06-12 09:36:51 +02:00
|
|
|
|
|
|
|
|
if (!added)
|
2002-12-06 05:37:05 +01:00
|
|
|
return STATUS_ERROR;
|
2003-07-24 01:30:41 +02:00
|
|
|
|
2003-01-06 04:18:27 +01:00
|
|
|
return STATUS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2003-01-25 06:19:47 +01:00
|
|
|
|
|
|
|
|
#ifdef HAVE_UNIX_SOCKETS
|
|
|
|
|
|
2003-01-06 04:18:27 +01:00
|
|
|
/*
|
|
|
|
|
* Lock_AF_UNIX -- configure unix socket file path
|
|
|
|
|
*/
|
2003-01-25 06:19:47 +01:00
|
|
|
static int
|
2020-01-31 11:50:32 +01:00
|
|
|
Lock_AF_UNIX(const char *unixSocketDir, const char *unixSocketPath)
|
2003-01-06 04:18:27 +01:00
|
|
|
{
|
2020-11-25 08:14:23 +01:00
|
|
|
/* no lock file for abstract sockets */
|
|
|
|
|
if (unixSocketPath[0] == '@')
|
|
|
|
|
return STATUS_OK;
|
|
|
|
|
|
2003-01-06 04:18:27 +01:00
|
|
|
/*
|
|
|
|
|
* Grab an interlock file associated with the socket file.
|
2010-08-27 00:00:19 +02:00
|
|
|
*
|
|
|
|
|
* Note: there are two reasons for using a socket lock file, rather than
|
|
|
|
|
* trying to interlock directly on the socket itself. First, it's a lot
|
|
|
|
|
* more portable, and second, it lets us remove any pre-existing socket
|
|
|
|
|
* file without race conditions.
|
2003-01-06 04:18:27 +01:00
|
|
|
*/
|
2012-08-10 23:26:44 +02:00
|
|
|
CreateSocketLockFile(unixSocketPath, true, unixSocketDir);
|
2003-01-06 04:18:27 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Once we have the interlock, we can safely delete any pre-existing
|
|
|
|
|
* socket file to avoid failure at bind() time.
|
|
|
|
|
*/
|
2015-08-02 20:54:44 +02:00
|
|
|
(void) unlink(unixSocketPath);
|
2012-08-10 23:26:44 +02:00
|
|
|
|
|
|
|
|
/*
|
2015-08-02 20:54:44 +02:00
|
|
|
* Remember socket file pathnames for later maintenance.
|
2012-08-10 23:26:44 +02:00
|
|
|
*/
|
|
|
|
|
sock_paths = lappend(sock_paths, pstrdup(unixSocketPath));
|
2003-01-06 04:18:27 +01:00
|
|
|
|
|
|
|
|
return STATUS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Setup_AF_UNIX -- configure unix socket permissions
|
|
|
|
|
*/
|
2003-01-25 06:19:47 +01:00
|
|
|
static int
|
2020-01-31 11:50:32 +01:00
|
|
|
Setup_AF_UNIX(const char *sock_path)
|
2003-01-06 04:18:27 +01:00
|
|
|
{
|
2020-11-25 08:14:23 +01:00
|
|
|
/* no file system permissions for abstract sockets */
|
|
|
|
|
if (sock_path[0] == '@')
|
|
|
|
|
return STATUS_OK;
|
|
|
|
|
|
2003-01-06 04:18:27 +01:00
|
|
|
/*
|
|
|
|
|
* Fix socket ownership/permission if requested. Note we must do this
|
|
|
|
|
* before we listen() to avoid a window where unwanted connections could
|
|
|
|
|
* get accepted.
|
|
|
|
|
*/
|
|
|
|
|
Assert(Unix_socket_group);
|
|
|
|
|
if (Unix_socket_group[0] != '\0')
|
|
|
|
|
{
|
2003-05-15 18:35:30 +02:00
|
|
|
#ifdef WIN32
|
2003-07-22 21:00:12 +02:00
|
|
|
elog(WARNING, "configuration item unix_socket_group is not supported on this platform");
|
2003-05-15 18:35:30 +02:00
|
|
|
#else
|
2003-01-06 04:18:27 +01:00
|
|
|
char *endptr;
|
2005-09-24 19:53:28 +02:00
|
|
|
unsigned long val;
|
2003-01-06 04:18:27 +01:00
|
|
|
gid_t gid;
|
|
|
|
|
|
|
|
|
|
val = strtoul(Unix_socket_group, &endptr, 10);
|
|
|
|
|
if (*endptr == '\0')
|
|
|
|
|
{ /* numeric group id */
|
|
|
|
|
gid = val;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{ /* convert group name to id */
|
|
|
|
|
struct group *gr;
|
|
|
|
|
|
|
|
|
|
gr = getgrnam(Unix_socket_group);
|
|
|
|
|
if (!gr)
|
|
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("group \"%s\" does not exist",
|
|
|
|
|
Unix_socket_group)));
|
2003-01-06 04:18:27 +01:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
gid = gr->gr_gid;
|
|
|
|
|
}
|
|
|
|
|
if (chown(sock_path, -1, gid) == -1)
|
|
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode_for_file_access(),
|
2003-09-25 08:58:07 +02:00
|
|
|
errmsg("could not set group of file \"%s\": %m",
|
2003-07-22 21:00:12 +02:00
|
|
|
sock_path)));
|
2003-01-06 04:18:27 +01:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2003-05-15 18:35:30 +02:00
|
|
|
#endif
|
2003-01-06 04:18:27 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (chmod(sock_path, Unix_socket_permissions) == -1)
|
|
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode_for_file_access(),
|
2003-09-25 08:58:07 +02:00
|
|
|
errmsg("could not set permissions of file \"%s\": %m",
|
2003-07-22 21:00:12 +02:00
|
|
|
sock_path)));
|
2003-01-06 04:18:27 +01:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2002-12-06 05:37:05 +01:00
|
|
|
return STATUS_OK;
|
1996-07-09 08:22:35 +02:00
|
|
|
}
|
2003-01-06 04:18:27 +01:00
|
|
|
#endif /* HAVE_UNIX_SOCKETS */
|
|
|
|
|
|
1996-07-09 08:22:35 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* StreamConnection -- create a new connection with client using
|
2007-02-13 20:18:54 +01:00
|
|
|
* server port. Set port->sock to the FD of the new connection.
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
1999-04-25 05:19:27 +02:00
|
|
|
* ASSUME: that this doesn't need to be non-blocking because
|
2020-06-15 19:14:40 +02:00
|
|
|
* the Postmaster uses select() to tell when the socket is ready for
|
|
|
|
|
* accept().
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
|
|
|
|
* RETURNS: STATUS_OK or STATUS_ERROR
|
|
|
|
|
*/
|
|
|
|
|
int
|
2010-01-10 15:16:08 +01:00
|
|
|
StreamConnection(pgsocket server_fd, Port *port)
|
1996-07-09 08:22:35 +02:00
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
/* accept connection and fill in the client (remote) address */
|
2003-06-12 09:36:51 +02:00
|
|
|
port->raddr.salen = sizeof(port->raddr.addr);
|
1996-07-09 08:22:35 +02:00
|
|
|
if ((port->sock = accept(server_fd,
|
2003-06-12 09:36:51 +02:00
|
|
|
(struct sockaddr *) &port->raddr.addr,
|
2014-04-16 16:45:48 +02:00
|
|
|
&port->raddr.salen)) == PGINVALID_SOCKET)
|
1996-07-09 08:22:35 +02:00
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode_for_socket_access(),
|
|
|
|
|
errmsg("could not accept new connection: %m")));
|
2007-11-15 22:14:46 +01:00
|
|
|
|
2007-02-13 20:18:54 +01:00
|
|
|
/*
|
|
|
|
|
* If accept() fails then postmaster.c will still see the server
|
|
|
|
|
* socket as read-ready, and will immediately try again. To avoid
|
|
|
|
|
* uselessly sucking lots of CPU, delay a bit before trying again.
|
|
|
|
|
* (The most likely reason for failure is being out of kernel file
|
|
|
|
|
* table slots; we can do little except hope some will get freed up.)
|
|
|
|
|
*/
|
|
|
|
|
pg_usleep(100000L); /* wait 0.1 sec */
|
1996-07-09 08:22:35 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
1997-11-10 06:16:00 +01:00
|
|
|
|
1996-07-09 08:22:35 +02:00
|
|
|
/* fill in the server (local) address */
|
2003-06-12 09:36:51 +02:00
|
|
|
port->laddr.salen = sizeof(port->laddr.addr);
|
2003-07-22 21:00:12 +02:00
|
|
|
if (getsockname(port->sock,
|
|
|
|
|
(struct sockaddr *) &port->laddr.addr,
|
2003-06-12 09:36:51 +02:00
|
|
|
&port->laddr.salen) < 0)
|
1996-07-09 08:22:35 +02:00
|
|
|
{
|
2020-12-04 14:25:23 +01:00
|
|
|
ereport(LOG,
|
2021-04-23 14:18:11 +02:00
|
|
|
(errmsg("%s() failed: %m", "getsockname")));
|
1997-04-16 08:25:13 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
1999-01-17 04:10:23 +01:00
|
|
|
|
2000-05-21 23:19:53 +02:00
|
|
|
/* select NODELAY and KEEPALIVE options if it's a TCP connection */
|
2022-02-15 10:03:52 +01:00
|
|
|
if (port->laddr.addr.ss_family != AF_UNIX)
|
1997-09-07 07:04:48 +02:00
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
int on;
|
2015-07-06 15:10:58 +02:00
|
|
|
#ifdef WIN32
|
|
|
|
|
int oldopt;
|
|
|
|
|
int optlen;
|
|
|
|
|
int newopt;
|
|
|
|
|
#endif
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2003-06-12 09:36:51 +02:00
|
|
|
#ifdef TCP_NODELAY
|
2003-07-22 21:00:12 +02:00
|
|
|
on = 1;
|
2000-05-21 23:19:53 +02:00
|
|
|
if (setsockopt(port->sock, IPPROTO_TCP, TCP_NODELAY,
|
2000-06-14 20:18:01 +02:00
|
|
|
(char *) &on, sizeof(on)) < 0)
|
1997-04-16 08:25:13 +02:00
|
|
|
{
|
2020-12-04 14:25:23 +01:00
|
|
|
ereport(LOG,
|
2021-04-23 14:18:11 +02:00
|
|
|
(errmsg("%s(%s) failed: %m", "setsockopt", "TCP_NODELAY")));
|
2000-05-20 15:10:54 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2003-06-12 09:36:51 +02:00
|
|
|
#endif
|
2003-07-22 21:00:12 +02:00
|
|
|
on = 1;
|
2000-05-20 15:10:54 +02:00
|
|
|
if (setsockopt(port->sock, SOL_SOCKET, SO_KEEPALIVE,
|
2000-06-14 20:18:01 +02:00
|
|
|
(char *) &on, sizeof(on)) < 0)
|
2000-05-20 15:10:54 +02:00
|
|
|
{
|
2020-12-04 14:25:23 +01:00
|
|
|
ereport(LOG,
|
2021-04-23 14:18:11 +02:00
|
|
|
(errmsg("%s(%s) failed: %m", "setsockopt", "SO_KEEPALIVE")));
|
1997-04-16 08:25:13 +02:00
|
|
|
return STATUS_ERROR;
|
1997-09-07 07:04:48 +02:00
|
|
|
}
|
2005-07-30 17:17:26 +02:00
|
|
|
|
2006-08-11 22:44:20 +02:00
|
|
|
#ifdef WIN32
|
2014-05-06 18:12:18 +02:00
|
|
|
|
2006-08-11 22:44:20 +02:00
|
|
|
/*
|
2015-07-06 15:10:58 +02:00
|
|
|
* This is a Win32 socket optimization. The OS send buffer should be
|
|
|
|
|
* large enough to send the whole Postgres send buffer in one go, or
|
|
|
|
|
* performance suffers. The Postgres send buffer can be enlarged if a
|
|
|
|
|
* very large message needs to be sent, but we won't attempt to
|
|
|
|
|
* enlarge the OS buffer if that happens, so somewhat arbitrarily
|
|
|
|
|
* ensure that the OS buffer is at least PQ_SEND_BUFFER_SIZE * 4.
|
|
|
|
|
* (That's 32kB with the current default).
|
|
|
|
|
*
|
|
|
|
|
* The default OS buffer size used to be 8kB in earlier Windows
|
|
|
|
|
* versions, but was raised to 64kB in Windows 2012. So it shouldn't
|
|
|
|
|
* be necessary to change it in later versions anymore. Changing it
|
|
|
|
|
* unnecessarily can even reduce performance, because setting
|
|
|
|
|
* SO_SNDBUF in the application disables the "dynamic send buffering"
|
|
|
|
|
* feature that was introduced in Windows 7. So before fiddling with
|
|
|
|
|
* SO_SNDBUF, check if the current buffer size is already large enough
|
|
|
|
|
* and only increase it if necessary.
|
|
|
|
|
*
|
|
|
|
|
* See https://support.microsoft.com/kb/823764/EN-US/ and
|
|
|
|
|
* https://msdn.microsoft.com/en-us/library/bb736549%28v=vs.85%29.aspx
|
2006-08-11 22:44:20 +02:00
|
|
|
*/
|
2015-07-06 15:10:58 +02:00
|
|
|
optlen = sizeof(oldopt);
|
2015-07-06 15:36:48 +02:00
|
|
|
if (getsockopt(port->sock, SOL_SOCKET, SO_SNDBUF, (char *) &oldopt,
|
2015-07-06 15:10:58 +02:00
|
|
|
&optlen) < 0)
|
2006-08-11 22:44:20 +02:00
|
|
|
{
|
2020-12-04 14:25:23 +01:00
|
|
|
ereport(LOG,
|
2021-04-23 14:18:11 +02:00
|
|
|
(errmsg("%s(%s) failed: %m", "getsockopt", "SO_SNDBUF")));
|
2006-08-11 22:44:20 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2015-07-06 15:10:58 +02:00
|
|
|
newopt = PQ_SEND_BUFFER_SIZE * 4;
|
|
|
|
|
if (oldopt < newopt)
|
|
|
|
|
{
|
|
|
|
|
if (setsockopt(port->sock, SOL_SOCKET, SO_SNDBUF, (char *) &newopt,
|
|
|
|
|
sizeof(newopt)) < 0)
|
|
|
|
|
{
|
2020-12-04 14:25:23 +01:00
|
|
|
ereport(LOG,
|
2021-04-23 14:18:11 +02:00
|
|
|
(errmsg("%s(%s) failed: %m", "setsockopt", "SO_SNDBUF")));
|
2015-07-06 15:10:58 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
2006-08-11 22:44:20 +02:00
|
|
|
#endif
|
|
|
|
|
|
2005-09-12 04:26:33 +02:00
|
|
|
/*
|
|
|
|
|
* Also apply the current keepalive parameters. If we fail to set a
|
|
|
|
|
* parameter, don't error out, because these aren't universally
|
|
|
|
|
* supported. (Note: you might think we need to reset the GUC
|
|
|
|
|
* variables to 0 in such a case, but it's not necessary because the
|
|
|
|
|
* show hooks for these variables report the truth anyway.)
|
2005-07-30 17:17:26 +02:00
|
|
|
*/
|
2005-09-12 04:26:33 +02:00
|
|
|
(void) pq_setkeepalivesidle(tcp_keepalives_idle, port);
|
|
|
|
|
(void) pq_setkeepalivesinterval(tcp_keepalives_interval, port);
|
|
|
|
|
(void) pq_setkeepalivescount(tcp_keepalives_count, port);
|
Add support TCP user timeout in libpq and the backend server
Similarly to the set of parameters for keepalive, a connection parameter
for libpq is added as well as a backend GUC, called tcp_user_timeout.
Increasing the TCP user timeout is useful to allow a connection to
survive extended periods without end-to-end connection, and decreasing
it allows application to fail faster. By default, the parameter is 0,
which makes the connection use the system default, and follows a logic
close to the keepalive parameters in its handling. When connecting
through a Unix-socket domain, the parameters have no effect.
Author: Ryohei Nagaura
Reviewed-by: Fabien Coelho, Robert Haas, Kyotaro Horiguchi, Kirk
Jamison, Mikalai Keida, Takayuki Tsunakawa, Andrei Yahorau
Discussion: https://postgr.es/m/EDA4195584F5064680D8130B1CA91C45367328@G01JPEXMBYT04
2019-04-06 08:23:37 +02:00
|
|
|
(void) pq_settcpusertimeout(tcp_user_timeout, port);
|
1997-04-16 08:25:13 +02:00
|
|
|
}
|
1997-09-07 07:04:48 +02:00
|
|
|
|
1996-07-09 08:22:35 +02:00
|
|
|
return STATUS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* StreamClose -- close a client/backend connection
|
2003-05-29 21:15:34 +02:00
|
|
|
*
|
|
|
|
|
* NOTE: this is NOT used to terminate a session; it is just used to release
|
|
|
|
|
* the file descriptor in a process that should no longer have the socket
|
|
|
|
|
* open. (For example, the postmaster calls this after passing ownership
|
|
|
|
|
* of the connection to a child process.) It is expected that someone else
|
|
|
|
|
* still has the socket open. So, we only want to close the descriptor,
|
|
|
|
|
* we do NOT want to send anything to the far end.
|
1996-07-09 08:22:35 +02:00
|
|
|
*/
|
|
|
|
|
void
|
2010-01-10 15:16:08 +01:00
|
|
|
StreamClose(pgsocket sock)
|
1996-07-09 08:22:35 +02:00
|
|
|
{
|
2003-04-25 03:24:00 +02:00
|
|
|
closesocket(sock);
|
1996-07-09 08:22:35 +02:00
|
|
|
}
|
|
|
|
|
|
2003-01-25 06:19:47 +01:00
|
|
|
/*
|
2012-08-10 23:26:44 +02:00
|
|
|
* TouchSocketFiles -- mark socket files as recently accessed
|
2003-01-25 06:19:47 +01:00
|
|
|
*
|
|
|
|
|
* This routine should be called every so often to ensure that the socket
|
2012-08-10 23:26:44 +02:00
|
|
|
* files have a recent mod date (ordinary operations on sockets usually won't
|
|
|
|
|
* change the mod date). That saves them from being removed by
|
2003-01-25 06:19:47 +01:00
|
|
|
* overenthusiastic /tmp-directory-cleaner daemons. (Another reason we should
|
|
|
|
|
* never have put the socket file in /tmp...)
|
|
|
|
|
*/
|
|
|
|
|
void
|
2012-08-10 23:26:44 +02:00
|
|
|
TouchSocketFiles(void)
|
2003-01-25 06:19:47 +01:00
|
|
|
{
|
2012-08-10 23:26:44 +02:00
|
|
|
ListCell *l;
|
|
|
|
|
|
|
|
|
|
/* Loop through all created sockets... */
|
|
|
|
|
foreach(l, sock_paths)
|
2003-01-25 06:19:47 +01:00
|
|
|
{
|
2012-08-10 23:26:44 +02:00
|
|
|
char *sock_path = (char *) lfirst(l);
|
|
|
|
|
|
2020-02-21 20:04:19 +01:00
|
|
|
/* Ignore errors; there's no point in complaining */
|
|
|
|
|
(void) utime(sock_path, NULL);
|
2003-01-25 06:19:47 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-08-02 20:54:44 +02:00
|
|
|
/*
|
|
|
|
|
* RemoveSocketFiles -- unlink socket files at postmaster shutdown
|
|
|
|
|
*/
|
|
|
|
|
void
|
|
|
|
|
RemoveSocketFiles(void)
|
|
|
|
|
{
|
|
|
|
|
ListCell *l;
|
|
|
|
|
|
|
|
|
|
/* Loop through all created sockets... */
|
|
|
|
|
foreach(l, sock_paths)
|
|
|
|
|
{
|
|
|
|
|
char *sock_path = (char *) lfirst(l);
|
|
|
|
|
|
|
|
|
|
/* Ignore any error. */
|
|
|
|
|
(void) unlink(sock_path);
|
|
|
|
|
}
|
|
|
|
|
/* Since we're about to exit, no need to reclaim storage */
|
|
|
|
|
sock_paths = NIL;
|
|
|
|
|
}
|
|
|
|
|
|
1999-04-25 05:19:27 +02:00
|
|
|
|
|
|
|
|
/* --------------------------------
|
|
|
|
|
* Low-level I/O routines begin here.
|
|
|
|
|
*
|
|
|
|
|
* These routines communicate with a frontend client across a connection
|
|
|
|
|
* already established by the preceding routines.
|
|
|
|
|
* --------------------------------
|
|
|
|
|
*/
|
|
|
|
|
|
2011-03-30 09:10:32 +02:00
|
|
|
/* --------------------------------
|
2014-10-31 17:02:40 +01:00
|
|
|
* socket_set_nonblocking - set socket blocking/non-blocking
|
2011-03-30 09:10:32 +02:00
|
|
|
*
|
2017-08-16 06:22:32 +02:00
|
|
|
* Sets the socket non-blocking if nonblocking is true, or sets it
|
2011-03-30 09:10:32 +02:00
|
|
|
* blocking otherwise.
|
|
|
|
|
* --------------------------------
|
|
|
|
|
*/
|
|
|
|
|
static void
|
2014-10-31 17:02:40 +01:00
|
|
|
socket_set_nonblocking(bool nonblocking)
|
2011-03-30 09:10:32 +02:00
|
|
|
{
|
2014-10-31 17:02:40 +01:00
|
|
|
if (MyProcPort == NULL)
|
|
|
|
|
ereport(ERROR,
|
|
|
|
|
(errcode(ERRCODE_CONNECTION_DOES_NOT_EXIST),
|
|
|
|
|
errmsg("there is no client connection")));
|
|
|
|
|
|
2011-03-30 09:10:32 +02:00
|
|
|
MyProcPort->noblock = nonblocking;
|
|
|
|
|
}
|
1999-04-25 05:19:27 +02:00
|
|
|
|
|
|
|
|
/* --------------------------------
|
|
|
|
|
* pq_recvbuf - load some bytes into the input buffer
|
|
|
|
|
*
|
|
|
|
|
* returns 0 if OK, EOF if trouble
|
|
|
|
|
* --------------------------------
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
pq_recvbuf(void)
|
1998-06-16 09:29:54 +02:00
|
|
|
{
|
1999-04-25 05:19:27 +02:00
|
|
|
if (PqRecvPointer > 0)
|
|
|
|
|
{
|
|
|
|
|
if (PqRecvLength > PqRecvPointer)
|
|
|
|
|
{
|
|
|
|
|
/* still some unread data, left-justify it in the buffer */
|
|
|
|
|
memmove(PqRecvBuffer, PqRecvBuffer + PqRecvPointer,
|
|
|
|
|
PqRecvLength - PqRecvPointer);
|
|
|
|
|
PqRecvLength -= PqRecvPointer;
|
|
|
|
|
PqRecvPointer = 0;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
PqRecvLength = PqRecvPointer = 0;
|
|
|
|
|
}
|
1998-06-16 09:29:54 +02:00
|
|
|
|
2011-03-30 09:10:32 +02:00
|
|
|
/* Ensure that we're in blocking mode */
|
2014-10-31 17:02:40 +01:00
|
|
|
socket_set_nonblocking(false);
|
2011-03-30 09:10:32 +02:00
|
|
|
|
1999-04-25 05:19:27 +02:00
|
|
|
/* Can fill buffer from PqRecvLength and upwards */
|
|
|
|
|
for (;;)
|
|
|
|
|
{
|
1999-09-27 05:13:16 +02:00
|
|
|
int r;
|
2000-04-12 19:17:23 +02:00
|
|
|
|
UPDATED PATCH:
Attached are a revised set of SSL patches. Many of these patches
are motivated by security concerns, it's not just bug fixes. The key
differences (from stock 7.2.1) are:
*) almost all code that directly uses the OpenSSL library is in two
new files,
src/interfaces/libpq/fe-ssl.c
src/backend/postmaster/be-ssl.c
in the long run, it would be nice to merge these two files.
*) the legacy code to read and write network data have been
encapsulated into read_SSL() and write_SSL(). These functions
should probably be renamed - they handle both SSL and non-SSL
cases.
the remaining code should eliminate the problems identified
earlier, albeit not very cleanly.
*) both front- and back-ends will send a SSL shutdown via the
new close_SSL() function. This is necessary for sessions to
work properly.
(Sessions are not yet fully supported, but by cleanly closing
the SSL connection instead of just sending a TCP FIN packet
other SSL tools will be much happier.)
*) The client certificate and key are now expected in a subdirectory
of the user's home directory. Specifically,
- the directory .postgresql must be owned by the user, and
allow no access by 'group' or 'other.'
- the file .postgresql/postgresql.crt must be a regular file
owned by the user.
- the file .postgresql/postgresql.key must be a regular file
owned by the user, and allow no access by 'group' or 'other'.
At the current time encrypted private keys are not supported.
There should also be a way to support multiple client certs/keys.
*) the front-end performs minimal validation of the back-end cert.
Self-signed certs are permitted, but the common name *must*
match the hostname used by the front-end. (The cert itself
should always use a fully qualified domain name (FDQN) in its
common name field.)
This means that
psql -h eris db
will fail, but
psql -h eris.example.com db
will succeed. At the current time this must be an exact match;
future patches may support any FQDN that resolves to the address
returned by getpeername(2).
Another common "problem" is expiring certs. For now, it may be
a good idea to use a very-long-lived self-signed cert.
As a compile-time option, the front-end can specify a file
containing valid root certificates, but it is not yet required.
*) the back-end performs minimal validation of the client cert.
It allows self-signed certs. It checks for expiration. It
supports a compile-time option specifying a file containing
valid root certificates.
*) both front- and back-ends default to TLSv1, not SSLv3/SSLv2.
*) both front- and back-ends support DSA keys. DSA keys are
moderately more expensive on startup, but many people consider
them preferable than RSA keys. (E.g., SSH2 prefers DSA keys.)
*) if /dev/urandom exists, both client and server will read 16k
of randomization data from it.
*) the server can read empheral DH parameters from the files
$DataDir/dh512.pem
$DataDir/dh1024.pem
$DataDir/dh2048.pem
$DataDir/dh4096.pem
if none are provided, the server will default to hardcoded
parameter files provided by the OpenSSL project.
Remaining tasks:
*) the select() clauses need to be revisited - the SSL abstraction
layer may need to absorb more of the current code to avoid rare
deadlock conditions. This also touches on a true solution to
the pg_eof() problem.
*) the SIGPIPE signal handler may need to be revisited.
*) support encrypted private keys.
*) sessions are not yet fully supported. (SSL sessions can span
multiple "connections," and allow the client and server to avoid
costly renegotiations.)
*) makecert - a script that creates back-end certs.
*) pgkeygen - a tool that creates front-end certs.
*) the whole protocol issue, SASL, etc.
*) certs are fully validated - valid root certs must be available.
This is a hassle, but it means that you *can* trust the identity
of the server.
*) the client library can handle hardcoded root certificates, to
avoid the need to copy these files.
*) host name of server cert must resolve to IP address, or be a
recognized alias. This is more liberal than the previous
iteration.
*) the number of bytes transferred is tracked, and the session
key is periodically renegotiated.
*) basic cert generation scripts (mkcert.sh, pgkeygen.sh). The
configuration files have reasonable defaults for each type
of use.
Bear Giles
2002-06-14 06:23:17 +02:00
|
|
|
r = secure_read(MyProcPort, PqRecvBuffer + PqRecvLength,
|
2011-03-30 09:10:32 +02:00
|
|
|
PQ_RECV_BUFFER_SIZE - PqRecvLength);
|
1999-05-25 18:15:34 +02:00
|
|
|
|
1999-04-25 05:19:27 +02:00
|
|
|
if (r < 0)
|
|
|
|
|
{
|
|
|
|
|
if (errno == EINTR)
|
|
|
|
|
continue; /* Ok if interrupted */
|
1999-05-25 18:15:34 +02:00
|
|
|
|
1999-04-25 05:19:27 +02:00
|
|
|
/*
|
2003-07-22 21:00:12 +02:00
|
|
|
* Careful: an ereport() that tries to write to the client would
|
2001-11-12 05:54:08 +01:00
|
|
|
* cause recursion to here, leading to stack overflow and core
|
|
|
|
|
* dump! This message must go *only* to the postmaster log.
|
1999-04-25 05:19:27 +02:00
|
|
|
*/
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(COMMERROR,
|
|
|
|
|
(errcode_for_socket_access(),
|
|
|
|
|
errmsg("could not receive data from client: %m")));
|
1999-04-25 05:19:27 +02:00
|
|
|
return EOF;
|
|
|
|
|
}
|
|
|
|
|
if (r == 0)
|
|
|
|
|
{
|
2003-04-19 02:02:30 +02:00
|
|
|
/*
|
|
|
|
|
* EOF detected. We used to write a log message here, but it's
|
|
|
|
|
* better to expect the ultimate caller to do that.
|
|
|
|
|
*/
|
1999-04-25 05:19:27 +02:00
|
|
|
return EOF;
|
|
|
|
|
}
|
|
|
|
|
/* r contains number of bytes read, so just incr length */
|
|
|
|
|
PqRecvLength += r;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
1998-06-16 09:29:54 +02:00
|
|
|
}
|
1998-09-01 06:40:42 +02:00
|
|
|
|
1999-04-25 05:19:27 +02:00
|
|
|
/* --------------------------------
|
|
|
|
|
* pq_getbyte - get a single byte from connection, or return EOF
|
|
|
|
|
* --------------------------------
|
|
|
|
|
*/
|
2001-12-04 20:40:17 +01:00
|
|
|
int
|
1999-04-25 05:19:27 +02:00
|
|
|
pq_getbyte(void)
|
|
|
|
|
{
|
Be more careful to not lose sync in the FE/BE protocol.
If any error occurred while we were in the middle of reading a protocol
message from the client, we could lose sync, and incorrectly try to
interpret a part of another message as a new protocol message. That will
usually lead to an "invalid frontend message" error that terminates the
connection. However, this is a security issue because an attacker might
be able to deliberately cause an error, inject a Query message in what's
supposed to be just user data, and have the server execute it.
We were quite careful to not have CHECK_FOR_INTERRUPTS() calls or other
operations that could ereport(ERROR) in the middle of processing a message,
but a query cancel interrupt or statement timeout could nevertheless cause
it to happen. Also, the V2 fastpath and COPY handling were not so careful.
It's very difficult to recover in the V2 COPY protocol, so we will just
terminate the connection on error. In practice, that's what happened
previously anyway, as we lost protocol sync.
To fix, add a new variable in pqcomm.c, PqCommReadingMsg, that is set
whenever we're in the middle of reading a message. When it's set, we cannot
safely ERROR out and continue running, because we might've read only part
of a message. PqCommReadingMsg acts somewhat similarly to critical sections
in that if an error occurs while it's set, the error handler will force the
connection to be terminated, as if the error was FATAL. It's not
implemented by promoting ERROR to FATAL in elog.c, like ERROR is promoted
to PANIC in critical sections, because we want to be able to use
PG_TRY/CATCH to recover and regain protocol sync. pq_getmessage() takes
advantage of that to prevent an OOM error from terminating the connection.
To prevent unnecessary connection terminations, add a holdoff mechanism
similar to HOLD/RESUME_INTERRUPTS() that can be used hold off query cancel
interrupts, but still allow die interrupts. The rules on which interrupts
are processed when are now a bit more complicated, so refactor
ProcessInterrupts() and the calls to it in signal handlers so that the
signal handlers always call it if ImmediateInterruptOK is set, and
ProcessInterrupts() can decide to not do anything if the other conditions
are not met.
Reported by Emil Lenngren. Patch reviewed by Noah Misch and Andres Freund.
Backpatch to all supported versions.
Security: CVE-2015-0244
2015-02-02 16:08:45 +01:00
|
|
|
Assert(PqCommReadingMsg);
|
|
|
|
|
|
1999-04-25 05:19:27 +02:00
|
|
|
while (PqRecvPointer >= PqRecvLength)
|
|
|
|
|
{
|
|
|
|
|
if (pq_recvbuf()) /* If nothing in buffer, then recv some */
|
|
|
|
|
return EOF; /* Failed to recv data */
|
|
|
|
|
}
|
2005-09-24 19:53:28 +02:00
|
|
|
return (unsigned char) PqRecvBuffer[PqRecvPointer++];
|
1999-04-25 05:19:27 +02:00
|
|
|
}
|
1998-09-10 06:07:59 +02:00
|
|
|
|
1999-04-25 05:19:27 +02:00
|
|
|
/* --------------------------------
|
|
|
|
|
* pq_peekbyte - peek at next byte from connection
|
|
|
|
|
*
|
|
|
|
|
* Same as pq_getbyte() except we don't advance the pointer.
|
|
|
|
|
* --------------------------------
|
|
|
|
|
*/
|
|
|
|
|
int
|
|
|
|
|
pq_peekbyte(void)
|
|
|
|
|
{
|
2015-02-07 05:14:27 +01:00
|
|
|
Assert(PqCommReadingMsg);
|
|
|
|
|
|
1999-04-25 05:19:27 +02:00
|
|
|
while (PqRecvPointer >= PqRecvLength)
|
|
|
|
|
{
|
|
|
|
|
if (pq_recvbuf()) /* If nothing in buffer, then recv some */
|
|
|
|
|
return EOF; /* Failed to recv data */
|
|
|
|
|
}
|
2005-09-24 19:53:28 +02:00
|
|
|
return (unsigned char) PqRecvBuffer[PqRecvPointer];
|
1999-04-25 05:19:27 +02:00
|
|
|
}
|
1998-09-10 06:07:59 +02:00
|
|
|
|
2010-01-15 10:19:10 +01:00
|
|
|
/* --------------------------------
|
|
|
|
|
* pq_getbyte_if_available - get a single byte from connection,
|
|
|
|
|
* if available
|
|
|
|
|
*
|
2010-02-18 12:13:46 +01:00
|
|
|
* The received byte is stored in *c. Returns 1 if a byte was read,
|
|
|
|
|
* 0 if no data was available, or EOF if trouble.
|
2010-01-15 10:19:10 +01:00
|
|
|
* --------------------------------
|
|
|
|
|
*/
|
|
|
|
|
int
|
|
|
|
|
pq_getbyte_if_available(unsigned char *c)
|
|
|
|
|
{
|
|
|
|
|
int r;
|
|
|
|
|
|
Be more careful to not lose sync in the FE/BE protocol.
If any error occurred while we were in the middle of reading a protocol
message from the client, we could lose sync, and incorrectly try to
interpret a part of another message as a new protocol message. That will
usually lead to an "invalid frontend message" error that terminates the
connection. However, this is a security issue because an attacker might
be able to deliberately cause an error, inject a Query message in what's
supposed to be just user data, and have the server execute it.
We were quite careful to not have CHECK_FOR_INTERRUPTS() calls or other
operations that could ereport(ERROR) in the middle of processing a message,
but a query cancel interrupt or statement timeout could nevertheless cause
it to happen. Also, the V2 fastpath and COPY handling were not so careful.
It's very difficult to recover in the V2 COPY protocol, so we will just
terminate the connection on error. In practice, that's what happened
previously anyway, as we lost protocol sync.
To fix, add a new variable in pqcomm.c, PqCommReadingMsg, that is set
whenever we're in the middle of reading a message. When it's set, we cannot
safely ERROR out and continue running, because we might've read only part
of a message. PqCommReadingMsg acts somewhat similarly to critical sections
in that if an error occurs while it's set, the error handler will force the
connection to be terminated, as if the error was FATAL. It's not
implemented by promoting ERROR to FATAL in elog.c, like ERROR is promoted
to PANIC in critical sections, because we want to be able to use
PG_TRY/CATCH to recover and regain protocol sync. pq_getmessage() takes
advantage of that to prevent an OOM error from terminating the connection.
To prevent unnecessary connection terminations, add a holdoff mechanism
similar to HOLD/RESUME_INTERRUPTS() that can be used hold off query cancel
interrupts, but still allow die interrupts. The rules on which interrupts
are processed when are now a bit more complicated, so refactor
ProcessInterrupts() and the calls to it in signal handlers so that the
signal handlers always call it if ImmediateInterruptOK is set, and
ProcessInterrupts() can decide to not do anything if the other conditions
are not met.
Reported by Emil Lenngren. Patch reviewed by Noah Misch and Andres Freund.
Backpatch to all supported versions.
Security: CVE-2015-0244
2015-02-02 16:08:45 +01:00
|
|
|
Assert(PqCommReadingMsg);
|
|
|
|
|
|
2010-01-15 10:19:10 +01:00
|
|
|
if (PqRecvPointer < PqRecvLength)
|
|
|
|
|
{
|
|
|
|
|
*c = PqRecvBuffer[PqRecvPointer++];
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2011-03-30 09:10:32 +02:00
|
|
|
/* Put the socket into non-blocking mode */
|
2014-10-31 17:02:40 +01:00
|
|
|
socket_set_nonblocking(true);
|
2011-03-30 09:10:32 +02:00
|
|
|
|
|
|
|
|
r = secure_read(MyProcPort, c, 1);
|
|
|
|
|
if (r < 0)
|
2010-01-15 10:19:10 +01:00
|
|
|
{
|
2011-03-30 09:10:32 +02:00
|
|
|
/*
|
|
|
|
|
* Ok if no data available without blocking or interrupted (though
|
|
|
|
|
* EINTR really shouldn't happen with a non-blocking socket). Report
|
|
|
|
|
* other errors.
|
|
|
|
|
*/
|
|
|
|
|
if (errno == EAGAIN || errno == EWOULDBLOCK || errno == EINTR)
|
|
|
|
|
r = 0;
|
|
|
|
|
else
|
2010-02-18 12:13:46 +01:00
|
|
|
{
|
|
|
|
|
/*
|
2011-03-30 09:10:32 +02:00
|
|
|
* Careful: an ereport() that tries to write to the client would
|
|
|
|
|
* cause recursion to here, leading to stack overflow and core
|
|
|
|
|
* dump! This message must go *only* to the postmaster log.
|
2010-02-18 12:13:46 +01:00
|
|
|
*/
|
2011-03-30 09:10:32 +02:00
|
|
|
ereport(COMMERROR,
|
|
|
|
|
(errcode_for_socket_access(),
|
|
|
|
|
errmsg("could not receive data from client: %m")));
|
2010-02-18 12:13:46 +01:00
|
|
|
r = EOF;
|
|
|
|
|
}
|
2010-01-15 10:19:10 +01:00
|
|
|
}
|
2011-03-30 09:10:32 +02:00
|
|
|
else if (r == 0)
|
2010-01-15 10:19:10 +01:00
|
|
|
{
|
2011-03-30 09:10:32 +02:00
|
|
|
/* EOF detected */
|
|
|
|
|
r = EOF;
|
2010-01-15 10:19:10 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
|
1999-04-25 05:19:27 +02:00
|
|
|
/* --------------------------------
|
|
|
|
|
* pq_getbytes - get a known number of bytes from connection
|
|
|
|
|
*
|
|
|
|
|
* returns 0 if OK, EOF if trouble
|
|
|
|
|
* --------------------------------
|
1999-01-12 13:49:52 +01:00
|
|
|
*/
|
1999-04-25 05:19:27 +02:00
|
|
|
int
|
|
|
|
|
pq_getbytes(char *s, size_t len)
|
1999-01-12 13:49:52 +01:00
|
|
|
{
|
1999-04-25 05:19:27 +02:00
|
|
|
size_t amount;
|
|
|
|
|
|
Be more careful to not lose sync in the FE/BE protocol.
If any error occurred while we were in the middle of reading a protocol
message from the client, we could lose sync, and incorrectly try to
interpret a part of another message as a new protocol message. That will
usually lead to an "invalid frontend message" error that terminates the
connection. However, this is a security issue because an attacker might
be able to deliberately cause an error, inject a Query message in what's
supposed to be just user data, and have the server execute it.
We were quite careful to not have CHECK_FOR_INTERRUPTS() calls or other
operations that could ereport(ERROR) in the middle of processing a message,
but a query cancel interrupt or statement timeout could nevertheless cause
it to happen. Also, the V2 fastpath and COPY handling were not so careful.
It's very difficult to recover in the V2 COPY protocol, so we will just
terminate the connection on error. In practice, that's what happened
previously anyway, as we lost protocol sync.
To fix, add a new variable in pqcomm.c, PqCommReadingMsg, that is set
whenever we're in the middle of reading a message. When it's set, we cannot
safely ERROR out and continue running, because we might've read only part
of a message. PqCommReadingMsg acts somewhat similarly to critical sections
in that if an error occurs while it's set, the error handler will force the
connection to be terminated, as if the error was FATAL. It's not
implemented by promoting ERROR to FATAL in elog.c, like ERROR is promoted
to PANIC in critical sections, because we want to be able to use
PG_TRY/CATCH to recover and regain protocol sync. pq_getmessage() takes
advantage of that to prevent an OOM error from terminating the connection.
To prevent unnecessary connection terminations, add a holdoff mechanism
similar to HOLD/RESUME_INTERRUPTS() that can be used hold off query cancel
interrupts, but still allow die interrupts. The rules on which interrupts
are processed when are now a bit more complicated, so refactor
ProcessInterrupts() and the calls to it in signal handlers so that the
signal handlers always call it if ImmediateInterruptOK is set, and
ProcessInterrupts() can decide to not do anything if the other conditions
are not met.
Reported by Emil Lenngren. Patch reviewed by Noah Misch and Andres Freund.
Backpatch to all supported versions.
Security: CVE-2015-0244
2015-02-02 16:08:45 +01:00
|
|
|
Assert(PqCommReadingMsg);
|
|
|
|
|
|
1999-04-25 05:19:27 +02:00
|
|
|
while (len > 0)
|
|
|
|
|
{
|
|
|
|
|
while (PqRecvPointer >= PqRecvLength)
|
|
|
|
|
{
|
|
|
|
|
if (pq_recvbuf()) /* If nothing in buffer, then recv some */
|
|
|
|
|
return EOF; /* Failed to recv data */
|
|
|
|
|
}
|
|
|
|
|
amount = PqRecvLength - PqRecvPointer;
|
|
|
|
|
if (amount > len)
|
|
|
|
|
amount = len;
|
|
|
|
|
memcpy(s, PqRecvBuffer + PqRecvPointer, amount);
|
|
|
|
|
PqRecvPointer += amount;
|
|
|
|
|
s += amount;
|
|
|
|
|
len -= amount;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2004-10-19 01:23:19 +02:00
|
|
|
/* --------------------------------
|
|
|
|
|
* pq_discardbytes - throw away a known number of bytes
|
|
|
|
|
*
|
|
|
|
|
* same as pq_getbytes except we do not copy the data to anyplace.
|
|
|
|
|
* this is used for resynchronizing after read errors.
|
|
|
|
|
*
|
|
|
|
|
* returns 0 if OK, EOF if trouble
|
|
|
|
|
* --------------------------------
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
pq_discardbytes(size_t len)
|
|
|
|
|
{
|
|
|
|
|
size_t amount;
|
|
|
|
|
|
Be more careful to not lose sync in the FE/BE protocol.
If any error occurred while we were in the middle of reading a protocol
message from the client, we could lose sync, and incorrectly try to
interpret a part of another message as a new protocol message. That will
usually lead to an "invalid frontend message" error that terminates the
connection. However, this is a security issue because an attacker might
be able to deliberately cause an error, inject a Query message in what's
supposed to be just user data, and have the server execute it.
We were quite careful to not have CHECK_FOR_INTERRUPTS() calls or other
operations that could ereport(ERROR) in the middle of processing a message,
but a query cancel interrupt or statement timeout could nevertheless cause
it to happen. Also, the V2 fastpath and COPY handling were not so careful.
It's very difficult to recover in the V2 COPY protocol, so we will just
terminate the connection on error. In practice, that's what happened
previously anyway, as we lost protocol sync.
To fix, add a new variable in pqcomm.c, PqCommReadingMsg, that is set
whenever we're in the middle of reading a message. When it's set, we cannot
safely ERROR out and continue running, because we might've read only part
of a message. PqCommReadingMsg acts somewhat similarly to critical sections
in that if an error occurs while it's set, the error handler will force the
connection to be terminated, as if the error was FATAL. It's not
implemented by promoting ERROR to FATAL in elog.c, like ERROR is promoted
to PANIC in critical sections, because we want to be able to use
PG_TRY/CATCH to recover and regain protocol sync. pq_getmessage() takes
advantage of that to prevent an OOM error from terminating the connection.
To prevent unnecessary connection terminations, add a holdoff mechanism
similar to HOLD/RESUME_INTERRUPTS() that can be used hold off query cancel
interrupts, but still allow die interrupts. The rules on which interrupts
are processed when are now a bit more complicated, so refactor
ProcessInterrupts() and the calls to it in signal handlers so that the
signal handlers always call it if ImmediateInterruptOK is set, and
ProcessInterrupts() can decide to not do anything if the other conditions
are not met.
Reported by Emil Lenngren. Patch reviewed by Noah Misch and Andres Freund.
Backpatch to all supported versions.
Security: CVE-2015-0244
2015-02-02 16:08:45 +01:00
|
|
|
Assert(PqCommReadingMsg);
|
|
|
|
|
|
2004-10-19 01:23:19 +02:00
|
|
|
while (len > 0)
|
|
|
|
|
{
|
|
|
|
|
while (PqRecvPointer >= PqRecvLength)
|
|
|
|
|
{
|
|
|
|
|
if (pq_recvbuf()) /* If nothing in buffer, then recv some */
|
|
|
|
|
return EOF; /* Failed to recv data */
|
|
|
|
|
}
|
|
|
|
|
amount = PqRecvLength - PqRecvPointer;
|
|
|
|
|
if (amount > len)
|
|
|
|
|
amount = len;
|
|
|
|
|
PqRecvPointer += amount;
|
|
|
|
|
len -= amount;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2021-11-08 17:01:43 +01:00
|
|
|
/* --------------------------------
|
|
|
|
|
* pq_buffer_has_data - is any buffered data available to read?
|
|
|
|
|
*
|
|
|
|
|
* This will *not* attempt to read more data.
|
|
|
|
|
* --------------------------------
|
|
|
|
|
*/
|
|
|
|
|
bool
|
|
|
|
|
pq_buffer_has_data(void)
|
|
|
|
|
{
|
|
|
|
|
return (PqRecvPointer < PqRecvLength);
|
|
|
|
|
}
|
|
|
|
|
|
2003-04-19 02:02:30 +02:00
|
|
|
|
Be more careful to not lose sync in the FE/BE protocol.
If any error occurred while we were in the middle of reading a protocol
message from the client, we could lose sync, and incorrectly try to
interpret a part of another message as a new protocol message. That will
usually lead to an "invalid frontend message" error that terminates the
connection. However, this is a security issue because an attacker might
be able to deliberately cause an error, inject a Query message in what's
supposed to be just user data, and have the server execute it.
We were quite careful to not have CHECK_FOR_INTERRUPTS() calls or other
operations that could ereport(ERROR) in the middle of processing a message,
but a query cancel interrupt or statement timeout could nevertheless cause
it to happen. Also, the V2 fastpath and COPY handling were not so careful.
It's very difficult to recover in the V2 COPY protocol, so we will just
terminate the connection on error. In practice, that's what happened
previously anyway, as we lost protocol sync.
To fix, add a new variable in pqcomm.c, PqCommReadingMsg, that is set
whenever we're in the middle of reading a message. When it's set, we cannot
safely ERROR out and continue running, because we might've read only part
of a message. PqCommReadingMsg acts somewhat similarly to critical sections
in that if an error occurs while it's set, the error handler will force the
connection to be terminated, as if the error was FATAL. It's not
implemented by promoting ERROR to FATAL in elog.c, like ERROR is promoted
to PANIC in critical sections, because we want to be able to use
PG_TRY/CATCH to recover and regain protocol sync. pq_getmessage() takes
advantage of that to prevent an OOM error from terminating the connection.
To prevent unnecessary connection terminations, add a holdoff mechanism
similar to HOLD/RESUME_INTERRUPTS() that can be used hold off query cancel
interrupts, but still allow die interrupts. The rules on which interrupts
are processed when are now a bit more complicated, so refactor
ProcessInterrupts() and the calls to it in signal handlers so that the
signal handlers always call it if ImmediateInterruptOK is set, and
ProcessInterrupts() can decide to not do anything if the other conditions
are not met.
Reported by Emil Lenngren. Patch reviewed by Noah Misch and Andres Freund.
Backpatch to all supported versions.
Security: CVE-2015-0244
2015-02-02 16:08:45 +01:00
|
|
|
/* --------------------------------
|
|
|
|
|
* pq_startmsgread - begin reading a message from the client.
|
|
|
|
|
*
|
|
|
|
|
* This must be called before any of the pq_get* functions.
|
|
|
|
|
* --------------------------------
|
|
|
|
|
*/
|
|
|
|
|
void
|
|
|
|
|
pq_startmsgread(void)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* There shouldn't be a read active already, but let's check just to be
|
|
|
|
|
* sure.
|
|
|
|
|
*/
|
|
|
|
|
if (PqCommReadingMsg)
|
|
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_PROTOCOL_VIOLATION),
|
2015-11-17 03:16:42 +01:00
|
|
|
errmsg("terminating connection because protocol synchronization was lost")));
|
Be more careful to not lose sync in the FE/BE protocol.
If any error occurred while we were in the middle of reading a protocol
message from the client, we could lose sync, and incorrectly try to
interpret a part of another message as a new protocol message. That will
usually lead to an "invalid frontend message" error that terminates the
connection. However, this is a security issue because an attacker might
be able to deliberately cause an error, inject a Query message in what's
supposed to be just user data, and have the server execute it.
We were quite careful to not have CHECK_FOR_INTERRUPTS() calls or other
operations that could ereport(ERROR) in the middle of processing a message,
but a query cancel interrupt or statement timeout could nevertheless cause
it to happen. Also, the V2 fastpath and COPY handling were not so careful.
It's very difficult to recover in the V2 COPY protocol, so we will just
terminate the connection on error. In practice, that's what happened
previously anyway, as we lost protocol sync.
To fix, add a new variable in pqcomm.c, PqCommReadingMsg, that is set
whenever we're in the middle of reading a message. When it's set, we cannot
safely ERROR out and continue running, because we might've read only part
of a message. PqCommReadingMsg acts somewhat similarly to critical sections
in that if an error occurs while it's set, the error handler will force the
connection to be terminated, as if the error was FATAL. It's not
implemented by promoting ERROR to FATAL in elog.c, like ERROR is promoted
to PANIC in critical sections, because we want to be able to use
PG_TRY/CATCH to recover and regain protocol sync. pq_getmessage() takes
advantage of that to prevent an OOM error from terminating the connection.
To prevent unnecessary connection terminations, add a holdoff mechanism
similar to HOLD/RESUME_INTERRUPTS() that can be used hold off query cancel
interrupts, but still allow die interrupts. The rules on which interrupts
are processed when are now a bit more complicated, so refactor
ProcessInterrupts() and the calls to it in signal handlers so that the
signal handlers always call it if ImmediateInterruptOK is set, and
ProcessInterrupts() can decide to not do anything if the other conditions
are not met.
Reported by Emil Lenngren. Patch reviewed by Noah Misch and Andres Freund.
Backpatch to all supported versions.
Security: CVE-2015-0244
2015-02-02 16:08:45 +01:00
|
|
|
|
|
|
|
|
PqCommReadingMsg = true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* --------------------------------
|
|
|
|
|
* pq_endmsgread - finish reading message.
|
|
|
|
|
*
|
2021-03-04 09:45:55 +01:00
|
|
|
* This must be called after reading a message with pq_getbytes()
|
|
|
|
|
* and friends, to indicate that we have read the whole message.
|
|
|
|
|
* pq_getmessage() does this implicitly.
|
Be more careful to not lose sync in the FE/BE protocol.
If any error occurred while we were in the middle of reading a protocol
message from the client, we could lose sync, and incorrectly try to
interpret a part of another message as a new protocol message. That will
usually lead to an "invalid frontend message" error that terminates the
connection. However, this is a security issue because an attacker might
be able to deliberately cause an error, inject a Query message in what's
supposed to be just user data, and have the server execute it.
We were quite careful to not have CHECK_FOR_INTERRUPTS() calls or other
operations that could ereport(ERROR) in the middle of processing a message,
but a query cancel interrupt or statement timeout could nevertheless cause
it to happen. Also, the V2 fastpath and COPY handling were not so careful.
It's very difficult to recover in the V2 COPY protocol, so we will just
terminate the connection on error. In practice, that's what happened
previously anyway, as we lost protocol sync.
To fix, add a new variable in pqcomm.c, PqCommReadingMsg, that is set
whenever we're in the middle of reading a message. When it's set, we cannot
safely ERROR out and continue running, because we might've read only part
of a message. PqCommReadingMsg acts somewhat similarly to critical sections
in that if an error occurs while it's set, the error handler will force the
connection to be terminated, as if the error was FATAL. It's not
implemented by promoting ERROR to FATAL in elog.c, like ERROR is promoted
to PANIC in critical sections, because we want to be able to use
PG_TRY/CATCH to recover and regain protocol sync. pq_getmessage() takes
advantage of that to prevent an OOM error from terminating the connection.
To prevent unnecessary connection terminations, add a holdoff mechanism
similar to HOLD/RESUME_INTERRUPTS() that can be used hold off query cancel
interrupts, but still allow die interrupts. The rules on which interrupts
are processed when are now a bit more complicated, so refactor
ProcessInterrupts() and the calls to it in signal handlers so that the
signal handlers always call it if ImmediateInterruptOK is set, and
ProcessInterrupts() can decide to not do anything if the other conditions
are not met.
Reported by Emil Lenngren. Patch reviewed by Noah Misch and Andres Freund.
Backpatch to all supported versions.
Security: CVE-2015-0244
2015-02-02 16:08:45 +01:00
|
|
|
* --------------------------------
|
|
|
|
|
*/
|
|
|
|
|
void
|
|
|
|
|
pq_endmsgread(void)
|
|
|
|
|
{
|
|
|
|
|
Assert(PqCommReadingMsg);
|
|
|
|
|
|
|
|
|
|
PqCommReadingMsg = false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* --------------------------------
|
|
|
|
|
* pq_is_reading_msg - are we currently reading a message?
|
|
|
|
|
*
|
|
|
|
|
* This is used in error recovery at the outer idle loop to detect if we have
|
|
|
|
|
* lost protocol sync, and need to terminate the connection. pq_startmsgread()
|
|
|
|
|
* will check for that too, but it's nicer to detect it earlier.
|
|
|
|
|
* --------------------------------
|
|
|
|
|
*/
|
|
|
|
|
bool
|
|
|
|
|
pq_is_reading_msg(void)
|
|
|
|
|
{
|
|
|
|
|
return PqCommReadingMsg;
|
|
|
|
|
}
|
|
|
|
|
|
2003-04-19 02:02:30 +02:00
|
|
|
/* --------------------------------
|
|
|
|
|
* pq_getmessage - get a message with length word from connection
|
|
|
|
|
*
|
|
|
|
|
* The return value is placed in an expansible StringInfo, which has
|
|
|
|
|
* already been initialized by the caller.
|
|
|
|
|
* Only the message body is placed in the StringInfo; the length word
|
|
|
|
|
* is removed. Also, s->cursor is initialized to zero for convenience
|
|
|
|
|
* in scanning the message contents.
|
|
|
|
|
*
|
Add heuristic incoming-message-size limits in the server.
We had a report of confusing server behavior caused by a client bug
that sent junk to the server: the server thought the junk was a
very long message length and waited patiently for data that would
never come. We can reduce the risk of that by being less trusting
about message lengths.
For a long time, libpq has had a heuristic rule that it wouldn't
believe large message size words, except for a small number of
message types that are expected to be (potentially) long. This
provides some defense against loss of message-boundary sync and
other corrupted-data cases. The server does something similar,
except that up to now it only limited the lengths of messages
received during the connection authentication phase. Let's
do the same as in libpq and put restrictions on the allowed
length of all messages, while distinguishing between message
types that are expected to be long and those that aren't.
I used a limit of 10000 bytes for non-long messages. (libpq's
corresponding limit is 30000 bytes, but given the asymmetry of
the FE/BE protocol, there's no good reason why the numbers should
be the same.) Experimentation suggests that this is at least a
factor of 10, maybe a factor of 100, more than we really need;
but plenty of daylight seems desirable to avoid false positives.
In any case we can adjust the limit based on beta-test results.
For long messages, set a limit of MaxAllocSize - 1, which is the
most that we can absorb into the StringInfo buffer that the message
is collected in. This just serves to make sure that a bogus message
size is reported as such, rather than as a confusing gripe about
not being able to enlarge a string buffer.
While at it, make sure that non-mainline code paths (such as
COPY FROM STDIN) are as paranoid as SocketBackend is, and validate
the message type code before believing the message length.
This provides an additional guard against getting stuck on corrupted
input.
Discussion: https://postgr.es/m/2003757.1619373089@sss.pgh.pa.us
2021-04-28 21:50:42 +02:00
|
|
|
* maxlen is the upper limit on the length of the
|
2003-04-19 02:02:30 +02:00
|
|
|
* message we are willing to accept. We abort the connection (by
|
|
|
|
|
* returning EOF) if client tries to send more than that.
|
|
|
|
|
*
|
|
|
|
|
* returns 0 if OK, EOF if trouble
|
|
|
|
|
* --------------------------------
|
|
|
|
|
*/
|
|
|
|
|
int
|
|
|
|
|
pq_getmessage(StringInfo s, int maxlen)
|
|
|
|
|
{
|
|
|
|
|
int32 len;
|
|
|
|
|
|
Be more careful to not lose sync in the FE/BE protocol.
If any error occurred while we were in the middle of reading a protocol
message from the client, we could lose sync, and incorrectly try to
interpret a part of another message as a new protocol message. That will
usually lead to an "invalid frontend message" error that terminates the
connection. However, this is a security issue because an attacker might
be able to deliberately cause an error, inject a Query message in what's
supposed to be just user data, and have the server execute it.
We were quite careful to not have CHECK_FOR_INTERRUPTS() calls or other
operations that could ereport(ERROR) in the middle of processing a message,
but a query cancel interrupt or statement timeout could nevertheless cause
it to happen. Also, the V2 fastpath and COPY handling were not so careful.
It's very difficult to recover in the V2 COPY protocol, so we will just
terminate the connection on error. In practice, that's what happened
previously anyway, as we lost protocol sync.
To fix, add a new variable in pqcomm.c, PqCommReadingMsg, that is set
whenever we're in the middle of reading a message. When it's set, we cannot
safely ERROR out and continue running, because we might've read only part
of a message. PqCommReadingMsg acts somewhat similarly to critical sections
in that if an error occurs while it's set, the error handler will force the
connection to be terminated, as if the error was FATAL. It's not
implemented by promoting ERROR to FATAL in elog.c, like ERROR is promoted
to PANIC in critical sections, because we want to be able to use
PG_TRY/CATCH to recover and regain protocol sync. pq_getmessage() takes
advantage of that to prevent an OOM error from terminating the connection.
To prevent unnecessary connection terminations, add a holdoff mechanism
similar to HOLD/RESUME_INTERRUPTS() that can be used hold off query cancel
interrupts, but still allow die interrupts. The rules on which interrupts
are processed when are now a bit more complicated, so refactor
ProcessInterrupts() and the calls to it in signal handlers so that the
signal handlers always call it if ImmediateInterruptOK is set, and
ProcessInterrupts() can decide to not do anything if the other conditions
are not met.
Reported by Emil Lenngren. Patch reviewed by Noah Misch and Andres Freund.
Backpatch to all supported versions.
Security: CVE-2015-0244
2015-02-02 16:08:45 +01:00
|
|
|
Assert(PqCommReadingMsg);
|
|
|
|
|
|
2007-03-03 20:32:55 +01:00
|
|
|
resetStringInfo(s);
|
2002-09-05 01:31:35 +02:00
|
|
|
|
2003-04-19 02:02:30 +02:00
|
|
|
/* Read message length word */
|
|
|
|
|
if (pq_getbytes((char *) &len, 4) == EOF)
|
|
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(COMMERROR,
|
|
|
|
|
(errcode(ERRCODE_PROTOCOL_VIOLATION),
|
|
|
|
|
errmsg("unexpected EOF within message length word")));
|
2003-04-19 02:02:30 +02:00
|
|
|
return EOF;
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-02 00:36:14 +02:00
|
|
|
len = pg_ntoh32(len);
|
2003-04-19 02:02:30 +02:00
|
|
|
|
Add heuristic incoming-message-size limits in the server.
We had a report of confusing server behavior caused by a client bug
that sent junk to the server: the server thought the junk was a
very long message length and waited patiently for data that would
never come. We can reduce the risk of that by being less trusting
about message lengths.
For a long time, libpq has had a heuristic rule that it wouldn't
believe large message size words, except for a small number of
message types that are expected to be (potentially) long. This
provides some defense against loss of message-boundary sync and
other corrupted-data cases. The server does something similar,
except that up to now it only limited the lengths of messages
received during the connection authentication phase. Let's
do the same as in libpq and put restrictions on the allowed
length of all messages, while distinguishing between message
types that are expected to be long and those that aren't.
I used a limit of 10000 bytes for non-long messages. (libpq's
corresponding limit is 30000 bytes, but given the asymmetry of
the FE/BE protocol, there's no good reason why the numbers should
be the same.) Experimentation suggests that this is at least a
factor of 10, maybe a factor of 100, more than we really need;
but plenty of daylight seems desirable to avoid false positives.
In any case we can adjust the limit based on beta-test results.
For long messages, set a limit of MaxAllocSize - 1, which is the
most that we can absorb into the StringInfo buffer that the message
is collected in. This just serves to make sure that a bogus message
size is reported as such, rather than as a confusing gripe about
not being able to enlarge a string buffer.
While at it, make sure that non-mainline code paths (such as
COPY FROM STDIN) are as paranoid as SocketBackend is, and validate
the message type code before believing the message length.
This provides an additional guard against getting stuck on corrupted
input.
Discussion: https://postgr.es/m/2003757.1619373089@sss.pgh.pa.us
2021-04-28 21:50:42 +02:00
|
|
|
if (len < 4 || len > maxlen)
|
2003-04-19 02:02:30 +02:00
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(COMMERROR,
|
|
|
|
|
(errcode(ERRCODE_PROTOCOL_VIOLATION),
|
|
|
|
|
errmsg("invalid message length")));
|
2003-04-19 02:02:30 +02:00
|
|
|
return EOF;
|
|
|
|
|
}
|
|
|
|
|
|
2004-10-19 01:23:19 +02:00
|
|
|
len -= 4; /* discount length itself */
|
|
|
|
|
|
2003-04-19 02:02:30 +02:00
|
|
|
if (len > 0)
|
|
|
|
|
{
|
2004-10-19 01:23:19 +02:00
|
|
|
/*
|
|
|
|
|
* Allocate space for message. If we run out of room (ridiculously
|
|
|
|
|
* large message), we will elog(ERROR), but we want to discard the
|
|
|
|
|
* message body so as not to lose communication sync.
|
|
|
|
|
*/
|
|
|
|
|
PG_TRY();
|
|
|
|
|
{
|
|
|
|
|
enlargeStringInfo(s, len);
|
|
|
|
|
}
|
|
|
|
|
PG_CATCH();
|
|
|
|
|
{
|
|
|
|
|
if (pq_discardbytes(len) == EOF)
|
|
|
|
|
ereport(COMMERROR,
|
|
|
|
|
(errcode(ERRCODE_PROTOCOL_VIOLATION),
|
|
|
|
|
errmsg("incomplete message from client")));
|
Be more careful to not lose sync in the FE/BE protocol.
If any error occurred while we were in the middle of reading a protocol
message from the client, we could lose sync, and incorrectly try to
interpret a part of another message as a new protocol message. That will
usually lead to an "invalid frontend message" error that terminates the
connection. However, this is a security issue because an attacker might
be able to deliberately cause an error, inject a Query message in what's
supposed to be just user data, and have the server execute it.
We were quite careful to not have CHECK_FOR_INTERRUPTS() calls or other
operations that could ereport(ERROR) in the middle of processing a message,
but a query cancel interrupt or statement timeout could nevertheless cause
it to happen. Also, the V2 fastpath and COPY handling were not so careful.
It's very difficult to recover in the V2 COPY protocol, so we will just
terminate the connection on error. In practice, that's what happened
previously anyway, as we lost protocol sync.
To fix, add a new variable in pqcomm.c, PqCommReadingMsg, that is set
whenever we're in the middle of reading a message. When it's set, we cannot
safely ERROR out and continue running, because we might've read only part
of a message. PqCommReadingMsg acts somewhat similarly to critical sections
in that if an error occurs while it's set, the error handler will force the
connection to be terminated, as if the error was FATAL. It's not
implemented by promoting ERROR to FATAL in elog.c, like ERROR is promoted
to PANIC in critical sections, because we want to be able to use
PG_TRY/CATCH to recover and regain protocol sync. pq_getmessage() takes
advantage of that to prevent an OOM error from terminating the connection.
To prevent unnecessary connection terminations, add a holdoff mechanism
similar to HOLD/RESUME_INTERRUPTS() that can be used hold off query cancel
interrupts, but still allow die interrupts. The rules on which interrupts
are processed when are now a bit more complicated, so refactor
ProcessInterrupts() and the calls to it in signal handlers so that the
signal handlers always call it if ImmediateInterruptOK is set, and
ProcessInterrupts() can decide to not do anything if the other conditions
are not met.
Reported by Emil Lenngren. Patch reviewed by Noah Misch and Andres Freund.
Backpatch to all supported versions.
Security: CVE-2015-0244
2015-02-02 16:08:45 +01:00
|
|
|
|
|
|
|
|
/* we discarded the rest of the message so we're back in sync. */
|
|
|
|
|
PqCommReadingMsg = false;
|
2004-10-19 01:23:19 +02:00
|
|
|
PG_RE_THROW();
|
|
|
|
|
}
|
|
|
|
|
PG_END_TRY();
|
2003-04-19 02:02:30 +02:00
|
|
|
|
|
|
|
|
/* And grab the message */
|
|
|
|
|
if (pq_getbytes(s->data, len) == EOF)
|
|
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(COMMERROR,
|
|
|
|
|
(errcode(ERRCODE_PROTOCOL_VIOLATION),
|
|
|
|
|
errmsg("incomplete message from client")));
|
2002-09-05 01:31:35 +02:00
|
|
|
return EOF;
|
2003-04-19 02:02:30 +02:00
|
|
|
}
|
|
|
|
|
s->len = len;
|
|
|
|
|
/* Place a trailing null per StringInfo convention */
|
|
|
|
|
s->data[len] = '\0';
|
2002-04-21 01:35:43 +02:00
|
|
|
}
|
2003-04-19 02:02:30 +02:00
|
|
|
|
Be more careful to not lose sync in the FE/BE protocol.
If any error occurred while we were in the middle of reading a protocol
message from the client, we could lose sync, and incorrectly try to
interpret a part of another message as a new protocol message. That will
usually lead to an "invalid frontend message" error that terminates the
connection. However, this is a security issue because an attacker might
be able to deliberately cause an error, inject a Query message in what's
supposed to be just user data, and have the server execute it.
We were quite careful to not have CHECK_FOR_INTERRUPTS() calls or other
operations that could ereport(ERROR) in the middle of processing a message,
but a query cancel interrupt or statement timeout could nevertheless cause
it to happen. Also, the V2 fastpath and COPY handling were not so careful.
It's very difficult to recover in the V2 COPY protocol, so we will just
terminate the connection on error. In practice, that's what happened
previously anyway, as we lost protocol sync.
To fix, add a new variable in pqcomm.c, PqCommReadingMsg, that is set
whenever we're in the middle of reading a message. When it's set, we cannot
safely ERROR out and continue running, because we might've read only part
of a message. PqCommReadingMsg acts somewhat similarly to critical sections
in that if an error occurs while it's set, the error handler will force the
connection to be terminated, as if the error was FATAL. It's not
implemented by promoting ERROR to FATAL in elog.c, like ERROR is promoted
to PANIC in critical sections, because we want to be able to use
PG_TRY/CATCH to recover and regain protocol sync. pq_getmessage() takes
advantage of that to prevent an OOM error from terminating the connection.
To prevent unnecessary connection terminations, add a holdoff mechanism
similar to HOLD/RESUME_INTERRUPTS() that can be used hold off query cancel
interrupts, but still allow die interrupts. The rules on which interrupts
are processed when are now a bit more complicated, so refactor
ProcessInterrupts() and the calls to it in signal handlers so that the
signal handlers always call it if ImmediateInterruptOK is set, and
ProcessInterrupts() can decide to not do anything if the other conditions
are not met.
Reported by Emil Lenngren. Patch reviewed by Noah Misch and Andres Freund.
Backpatch to all supported versions.
Security: CVE-2015-0244
2015-02-02 16:08:45 +01:00
|
|
|
/* finished reading the message. */
|
|
|
|
|
PqCommReadingMsg = false;
|
|
|
|
|
|
2003-04-19 02:02:30 +02:00
|
|
|
return 0;
|
1999-04-25 05:19:27 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2004-09-26 02:26:28 +02:00
|
|
|
static int
|
|
|
|
|
internal_putbytes(const char *s, size_t len)
|
1999-04-25 05:19:27 +02:00
|
|
|
{
|
|
|
|
|
size_t amount;
|
|
|
|
|
|
|
|
|
|
while (len > 0)
|
|
|
|
|
{
|
2004-09-26 02:26:28 +02:00
|
|
|
/* If buffer is full, then flush it out */
|
2011-03-30 09:10:32 +02:00
|
|
|
if (PqSendPointer >= PqSendBufferSize)
|
|
|
|
|
{
|
2014-10-31 17:02:40 +01:00
|
|
|
socket_set_nonblocking(false);
|
2004-09-26 02:26:28 +02:00
|
|
|
if (internal_flush())
|
1999-04-25 05:19:27 +02:00
|
|
|
return EOF;
|
2011-03-30 09:10:32 +02:00
|
|
|
}
|
|
|
|
|
amount = PqSendBufferSize - PqSendPointer;
|
1999-04-25 05:19:27 +02:00
|
|
|
if (amount > len)
|
|
|
|
|
amount = len;
|
|
|
|
|
memcpy(PqSendBuffer + PqSendPointer, s, amount);
|
|
|
|
|
PqSendPointer += amount;
|
|
|
|
|
s += amount;
|
|
|
|
|
len -= amount;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* --------------------------------
|
2014-10-31 17:02:40 +01:00
|
|
|
* socket_flush - flush pending output
|
1999-04-25 05:19:27 +02:00
|
|
|
*
|
|
|
|
|
* returns 0 if OK, EOF if trouble
|
|
|
|
|
* --------------------------------
|
|
|
|
|
*/
|
2014-10-31 17:02:40 +01:00
|
|
|
static int
|
|
|
|
|
socket_flush(void)
|
2004-09-26 02:26:28 +02:00
|
|
|
{
|
|
|
|
|
int res;
|
|
|
|
|
|
|
|
|
|
/* No-op if reentrant call */
|
|
|
|
|
if (PqCommBusy)
|
|
|
|
|
return 0;
|
|
|
|
|
PqCommBusy = true;
|
2014-10-31 17:02:40 +01:00
|
|
|
socket_set_nonblocking(false);
|
2004-09-26 02:26:28 +02:00
|
|
|
res = internal_flush();
|
|
|
|
|
PqCommBusy = false;
|
|
|
|
|
return res;
|
|
|
|
|
}
|
|
|
|
|
|
2011-03-30 09:10:32 +02:00
|
|
|
/* --------------------------------
|
|
|
|
|
* internal_flush - flush pending output
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 if OK (meaning everything was sent, or operation would block
|
|
|
|
|
* and the socket is in non-blocking mode), or EOF if trouble.
|
|
|
|
|
* --------------------------------
|
|
|
|
|
*/
|
2004-09-26 02:26:28 +02:00
|
|
|
static int
|
|
|
|
|
internal_flush(void)
|
1999-04-25 05:19:27 +02:00
|
|
|
{
|
2001-11-12 05:54:08 +01:00
|
|
|
static int last_reported_send_errno = 0;
|
|
|
|
|
|
2011-03-30 09:10:32 +02:00
|
|
|
char *bufptr = PqSendBuffer + PqSendStart;
|
2005-09-24 19:53:28 +02:00
|
|
|
char *bufend = PqSendBuffer + PqSendPointer;
|
1999-04-25 05:19:27 +02:00
|
|
|
|
|
|
|
|
while (bufptr < bufend)
|
|
|
|
|
{
|
1999-09-27 05:13:16 +02:00
|
|
|
int r;
|
2000-04-12 19:17:23 +02:00
|
|
|
|
UPDATED PATCH:
Attached are a revised set of SSL patches. Many of these patches
are motivated by security concerns, it's not just bug fixes. The key
differences (from stock 7.2.1) are:
*) almost all code that directly uses the OpenSSL library is in two
new files,
src/interfaces/libpq/fe-ssl.c
src/backend/postmaster/be-ssl.c
in the long run, it would be nice to merge these two files.
*) the legacy code to read and write network data have been
encapsulated into read_SSL() and write_SSL(). These functions
should probably be renamed - they handle both SSL and non-SSL
cases.
the remaining code should eliminate the problems identified
earlier, albeit not very cleanly.
*) both front- and back-ends will send a SSL shutdown via the
new close_SSL() function. This is necessary for sessions to
work properly.
(Sessions are not yet fully supported, but by cleanly closing
the SSL connection instead of just sending a TCP FIN packet
other SSL tools will be much happier.)
*) The client certificate and key are now expected in a subdirectory
of the user's home directory. Specifically,
- the directory .postgresql must be owned by the user, and
allow no access by 'group' or 'other.'
- the file .postgresql/postgresql.crt must be a regular file
owned by the user.
- the file .postgresql/postgresql.key must be a regular file
owned by the user, and allow no access by 'group' or 'other'.
At the current time encrypted private keys are not supported.
There should also be a way to support multiple client certs/keys.
*) the front-end performs minimal validation of the back-end cert.
Self-signed certs are permitted, but the common name *must*
match the hostname used by the front-end. (The cert itself
should always use a fully qualified domain name (FDQN) in its
common name field.)
This means that
psql -h eris db
will fail, but
psql -h eris.example.com db
will succeed. At the current time this must be an exact match;
future patches may support any FQDN that resolves to the address
returned by getpeername(2).
Another common "problem" is expiring certs. For now, it may be
a good idea to use a very-long-lived self-signed cert.
As a compile-time option, the front-end can specify a file
containing valid root certificates, but it is not yet required.
*) the back-end performs minimal validation of the client cert.
It allows self-signed certs. It checks for expiration. It
supports a compile-time option specifying a file containing
valid root certificates.
*) both front- and back-ends default to TLSv1, not SSLv3/SSLv2.
*) both front- and back-ends support DSA keys. DSA keys are
moderately more expensive on startup, but many people consider
them preferable than RSA keys. (E.g., SSH2 prefers DSA keys.)
*) if /dev/urandom exists, both client and server will read 16k
of randomization data from it.
*) the server can read empheral DH parameters from the files
$DataDir/dh512.pem
$DataDir/dh1024.pem
$DataDir/dh2048.pem
$DataDir/dh4096.pem
if none are provided, the server will default to hardcoded
parameter files provided by the OpenSSL project.
Remaining tasks:
*) the select() clauses need to be revisited - the SSL abstraction
layer may need to absorb more of the current code to avoid rare
deadlock conditions. This also touches on a true solution to
the pg_eof() problem.
*) the SIGPIPE signal handler may need to be revisited.
*) support encrypted private keys.
*) sessions are not yet fully supported. (SSL sessions can span
multiple "connections," and allow the client and server to avoid
costly renegotiations.)
*) makecert - a script that creates back-end certs.
*) pgkeygen - a tool that creates front-end certs.
*) the whole protocol issue, SASL, etc.
*) certs are fully validated - valid root certs must be available.
This is a hassle, but it means that you *can* trust the identity
of the server.
*) the client library can handle hardcoded root certificates, to
avoid the need to copy these files.
*) host name of server cert must resolve to IP address, or be a
recognized alias. This is more liberal than the previous
iteration.
*) the number of bytes transferred is tracked, and the session
key is periodically renegotiated.
*) basic cert generation scripts (mkcert.sh, pgkeygen.sh). The
configuration files have reasonable defaults for each type
of use.
Bear Giles
2002-06-14 06:23:17 +02:00
|
|
|
r = secure_write(MyProcPort, bufptr, bufend - bufptr);
|
2002-06-14 06:09:37 +02:00
|
|
|
|
1999-04-25 05:19:27 +02:00
|
|
|
if (r <= 0)
|
|
|
|
|
{
|
|
|
|
|
if (errno == EINTR)
|
|
|
|
|
continue; /* Ok if we were interrupted */
|
1999-05-25 18:15:34 +02:00
|
|
|
|
2011-03-30 09:10:32 +02:00
|
|
|
/*
|
|
|
|
|
* Ok if no data writable without blocking, and the socket is in
|
|
|
|
|
* non-blocking mode.
|
|
|
|
|
*/
|
|
|
|
|
if (errno == EAGAIN ||
|
|
|
|
|
errno == EWOULDBLOCK)
|
|
|
|
|
{
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
1999-04-25 05:19:27 +02:00
|
|
|
/*
|
2003-07-22 21:00:12 +02:00
|
|
|
* Careful: an ereport() that tries to write to the client would
|
2001-11-12 05:54:08 +01:00
|
|
|
* cause recursion to here, leading to stack overflow and core
|
|
|
|
|
* dump! This message must go *only* to the postmaster log.
|
|
|
|
|
*
|
|
|
|
|
* If a client disconnects while we're in the midst of output, we
|
|
|
|
|
* might write quite a bit of data before we get to a safe query
|
|
|
|
|
* abort point. So, suppress duplicate log messages.
|
1999-04-25 05:19:27 +02:00
|
|
|
*/
|
2001-11-12 05:54:08 +01:00
|
|
|
if (errno != last_reported_send_errno)
|
|
|
|
|
{
|
|
|
|
|
last_reported_send_errno = errno;
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(COMMERROR,
|
|
|
|
|
(errcode_for_socket_access(),
|
|
|
|
|
errmsg("could not send data to client: %m")));
|
2001-11-12 05:54:08 +01:00
|
|
|
}
|
1999-05-25 18:15:34 +02:00
|
|
|
|
1999-04-25 05:19:27 +02:00
|
|
|
/*
|
|
|
|
|
* We drop the buffered data anyway so that processing can
|
2011-12-09 10:37:21 +01:00
|
|
|
* continue, even though we'll probably quit soon. We also set a
|
|
|
|
|
* flag that'll cause the next CHECK_FOR_INTERRUPTS to terminate
|
|
|
|
|
* the connection.
|
1999-04-25 05:19:27 +02:00
|
|
|
*/
|
2011-03-30 09:10:32 +02:00
|
|
|
PqSendStart = PqSendPointer = 0;
|
2011-12-09 10:37:21 +01:00
|
|
|
ClientConnectionLost = 1;
|
|
|
|
|
InterruptPending = 1;
|
1999-04-25 05:19:27 +02:00
|
|
|
return EOF;
|
|
|
|
|
}
|
2001-11-12 05:54:08 +01:00
|
|
|
|
|
|
|
|
last_reported_send_errno = 0; /* reset after any successful send */
|
1999-04-25 05:19:27 +02:00
|
|
|
bufptr += r;
|
2011-03-30 09:10:32 +02:00
|
|
|
PqSendStart += r;
|
1999-04-25 05:19:27 +02:00
|
|
|
}
|
2001-11-12 05:54:08 +01:00
|
|
|
|
2011-03-30 09:10:32 +02:00
|
|
|
PqSendStart = PqSendPointer = 0;
|
1999-04-25 05:19:27 +02:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2011-03-30 09:10:32 +02:00
|
|
|
/* --------------------------------
|
|
|
|
|
* pq_flush_if_writable - flush pending output if writable without blocking
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 if OK, or EOF if trouble.
|
|
|
|
|
* --------------------------------
|
|
|
|
|
*/
|
2014-10-31 17:02:40 +01:00
|
|
|
static int
|
|
|
|
|
socket_flush_if_writable(void)
|
2011-03-30 09:10:32 +02:00
|
|
|
{
|
|
|
|
|
int res;
|
|
|
|
|
|
|
|
|
|
/* Quick exit if nothing to do */
|
|
|
|
|
if (PqSendPointer == PqSendStart)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
/* No-op if reentrant call */
|
|
|
|
|
if (PqCommBusy)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
/* Temporarily put the socket into non-blocking mode */
|
2014-10-31 17:02:40 +01:00
|
|
|
socket_set_nonblocking(true);
|
2011-03-30 09:10:32 +02:00
|
|
|
|
|
|
|
|
PqCommBusy = true;
|
|
|
|
|
res = internal_flush();
|
|
|
|
|
PqCommBusy = false;
|
|
|
|
|
return res;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* --------------------------------
|
2014-10-31 17:02:40 +01:00
|
|
|
* socket_is_send_pending - is there any pending data in the output buffer?
|
2011-03-30 09:10:32 +02:00
|
|
|
* --------------------------------
|
|
|
|
|
*/
|
2014-10-31 17:02:40 +01:00
|
|
|
static bool
|
|
|
|
|
socket_is_send_pending(void)
|
2011-03-30 09:10:32 +02:00
|
|
|
{
|
|
|
|
|
return (PqSendStart < PqSendPointer);
|
|
|
|
|
}
|
1999-04-25 05:19:27 +02:00
|
|
|
|
|
|
|
|
/* --------------------------------
|
|
|
|
|
* Message-level I/O routines begin here.
|
|
|
|
|
* --------------------------------
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* --------------------------------
|
2014-10-31 17:02:40 +01:00
|
|
|
* socket_putmessage - send a normal message (suppressed in COPY OUT mode)
|
1999-04-25 05:19:27 +02:00
|
|
|
*
|
2021-03-04 09:45:55 +01:00
|
|
|
* msgtype is a message type code to place before the message body.
|
2003-04-22 02:08:07 +02:00
|
|
|
*
|
2021-03-04 09:45:55 +01:00
|
|
|
* len is the length of the message body data at *s. A message length
|
|
|
|
|
* word (equal to len+4 because it counts itself too) is inserted by this
|
|
|
|
|
* routine.
|
1999-04-25 05:19:27 +02:00
|
|
|
*
|
2021-03-04 09:45:55 +01:00
|
|
|
* We suppress messages generated while pqcomm.c is busy. This
|
2004-09-26 02:26:28 +02:00
|
|
|
* avoids any possibility of messages being inserted within other
|
|
|
|
|
* messages. The only known trouble case arises if SIGQUIT occurs
|
|
|
|
|
* during a pqcomm.c routine --- quickdie() will try to send a warning
|
|
|
|
|
* message, and the most reasonable approach seems to be to drop it.
|
|
|
|
|
*
|
1999-04-25 05:19:27 +02:00
|
|
|
* returns 0 if OK, EOF if trouble
|
|
|
|
|
* --------------------------------
|
|
|
|
|
*/
|
2014-10-31 17:02:40 +01:00
|
|
|
static int
|
|
|
|
|
socket_putmessage(char msgtype, const char *s, size_t len)
|
1999-04-25 05:19:27 +02:00
|
|
|
{
|
2021-03-04 09:45:55 +01:00
|
|
|
uint32 n32;
|
|
|
|
|
|
|
|
|
|
Assert(msgtype != 0);
|
|
|
|
|
|
|
|
|
|
if (PqCommBusy)
|
1999-04-25 05:19:27 +02:00
|
|
|
return 0;
|
2004-09-26 02:26:28 +02:00
|
|
|
PqCommBusy = true;
|
2021-03-04 09:45:55 +01:00
|
|
|
if (internal_putbytes(&msgtype, 1))
|
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
|
|
n32 = pg_hton32((uint32) (len + 4));
|
|
|
|
|
if (internal_putbytes((char *) &n32, 4))
|
|
|
|
|
goto fail;
|
2003-04-22 02:08:07 +02:00
|
|
|
|
2004-09-26 02:26:28 +02:00
|
|
|
if (internal_putbytes(s, len))
|
|
|
|
|
goto fail;
|
|
|
|
|
PqCommBusy = false;
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
fail:
|
|
|
|
|
PqCommBusy = false;
|
|
|
|
|
return EOF;
|
1999-04-25 05:19:27 +02:00
|
|
|
}
|
|
|
|
|
|
2011-03-30 09:10:32 +02:00
|
|
|
/* --------------------------------
|
|
|
|
|
* pq_putmessage_noblock - like pq_putmessage, but never blocks
|
|
|
|
|
*
|
|
|
|
|
* If the output buffer is too small to hold the message, the buffer
|
|
|
|
|
* is enlarged.
|
|
|
|
|
*/
|
2014-10-31 17:02:40 +01:00
|
|
|
static void
|
|
|
|
|
socket_putmessage_noblock(char msgtype, const char *s, size_t len)
|
2011-03-30 09:10:32 +02:00
|
|
|
{
|
2012-03-21 22:30:14 +01:00
|
|
|
int res PG_USED_FOR_ASSERTS_ONLY;
|
2011-03-30 09:10:32 +02:00
|
|
|
int required;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Ensure we have enough space in the output buffer for the message header
|
|
|
|
|
* as well as the message itself.
|
|
|
|
|
*/
|
|
|
|
|
required = PqSendPointer + 1 + 4 + len;
|
|
|
|
|
if (required > PqSendBufferSize)
|
|
|
|
|
{
|
|
|
|
|
PqSendBuffer = repalloc(PqSendBuffer, required);
|
|
|
|
|
PqSendBufferSize = required;
|
|
|
|
|
}
|
|
|
|
|
res = pq_putmessage(msgtype, s, len);
|
|
|
|
|
Assert(res == 0); /* should not fail when the message fits in
|
|
|
|
|
* buffer */
|
|
|
|
|
}
|
|
|
|
|
|
1999-04-25 05:19:27 +02:00
|
|
|
/* --------------------------------
|
2021-03-04 09:45:55 +01:00
|
|
|
* pq_putmessage_v2 - send a message in protocol version 2
|
|
|
|
|
*
|
|
|
|
|
* msgtype is a message type code to place before the message body.
|
1999-04-25 05:19:27 +02:00
|
|
|
*
|
2021-03-04 09:45:55 +01:00
|
|
|
* We no longer support protocol version 2, but we have kept this
|
|
|
|
|
* function so that if a client tries to connect with protocol version 2,
|
|
|
|
|
* as a courtesy we can still send the "unsupported protocol version"
|
|
|
|
|
* error to the client in the old format.
|
|
|
|
|
*
|
|
|
|
|
* Like in pq_putmessage(), we suppress messages generated while
|
|
|
|
|
* pqcomm.c is busy.
|
|
|
|
|
*
|
|
|
|
|
* returns 0 if OK, EOF if trouble
|
1999-04-25 05:19:27 +02:00
|
|
|
* --------------------------------
|
|
|
|
|
*/
|
2021-03-04 09:45:55 +01:00
|
|
|
int
|
|
|
|
|
pq_putmessage_v2(char msgtype, const char *s, size_t len)
|
1999-04-25 05:19:27 +02:00
|
|
|
{
|
2021-03-04 09:45:55 +01:00
|
|
|
Assert(msgtype != 0);
|
|
|
|
|
|
|
|
|
|
if (PqCommBusy)
|
|
|
|
|
return 0;
|
|
|
|
|
PqCommBusy = true;
|
|
|
|
|
if (internal_putbytes(&msgtype, 1))
|
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
|
|
if (internal_putbytes(s, len))
|
|
|
|
|
goto fail;
|
|
|
|
|
PqCommBusy = false;
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
fail:
|
|
|
|
|
PqCommBusy = false;
|
|
|
|
|
return EOF;
|
1999-01-12 13:49:52 +01:00
|
|
|
}
|
2005-07-30 17:17:26 +02:00
|
|
|
|
2005-09-12 04:26:33 +02:00
|
|
|
/*
|
|
|
|
|
* Support for TCP Keepalive parameters
|
|
|
|
|
*/
|
|
|
|
|
|
2010-07-08 12:20:14 +02:00
|
|
|
/*
|
|
|
|
|
* On Windows, we need to set both idle and interval at the same time.
|
|
|
|
|
* We also cannot reset them to the default (setting to zero will
|
2015-04-26 19:05:39 +02:00
|
|
|
* actually set them to zero, not default), therefore we fallback to
|
2010-07-08 12:20:14 +02:00
|
|
|
* the out-of-the-box default instead.
|
|
|
|
|
*/
|
2010-07-08 18:19:50 +02:00
|
|
|
#if defined(WIN32) && defined(SIO_KEEPALIVE_VALS)
|
2010-07-08 12:20:14 +02:00
|
|
|
static int
|
|
|
|
|
pq_setkeepaliveswin32(Port *port, int idle, int interval)
|
|
|
|
|
{
|
|
|
|
|
struct tcp_keepalive ka;
|
|
|
|
|
DWORD retsize;
|
|
|
|
|
|
|
|
|
|
if (idle <= 0)
|
|
|
|
|
idle = 2 * 60 * 60; /* default = 2 hours */
|
|
|
|
|
if (interval <= 0)
|
|
|
|
|
interval = 1; /* default = 1 second */
|
|
|
|
|
|
|
|
|
|
ka.onoff = 1;
|
|
|
|
|
ka.keepalivetime = idle * 1000;
|
|
|
|
|
ka.keepaliveinterval = interval * 1000;
|
|
|
|
|
|
|
|
|
|
if (WSAIoctl(port->sock,
|
|
|
|
|
SIO_KEEPALIVE_VALS,
|
|
|
|
|
(LPVOID) &ka,
|
|
|
|
|
sizeof(ka),
|
|
|
|
|
NULL,
|
|
|
|
|
0,
|
|
|
|
|
&retsize,
|
|
|
|
|
NULL,
|
|
|
|
|
NULL)
|
|
|
|
|
!= 0)
|
|
|
|
|
{
|
2020-12-04 14:25:23 +01:00
|
|
|
ereport(LOG,
|
2021-04-23 14:18:11 +02:00
|
|
|
(errmsg("%s(%s) failed: error code %d",
|
|
|
|
|
"WSAIoctl", "SIO_KEEPALIVE_VALS", WSAGetLastError())));
|
2010-07-08 12:20:14 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
if (port->keepalives_idle != idle)
|
|
|
|
|
port->keepalives_idle = idle;
|
|
|
|
|
if (port->keepalives_interval != interval)
|
|
|
|
|
port->keepalives_interval = interval;
|
|
|
|
|
return STATUS_OK;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2005-07-30 17:17:26 +02:00
|
|
|
int
|
|
|
|
|
pq_getkeepalivesidle(Port *port)
|
|
|
|
|
{
|
2017-06-28 18:30:16 +02:00
|
|
|
#if defined(PG_TCP_KEEPALIVE_IDLE) || defined(SIO_KEEPALIVE_VALS)
|
2022-02-15 10:03:52 +01:00
|
|
|
if (port == NULL || port->laddr.addr.ss_family == AF_UNIX)
|
2005-07-30 17:17:26 +02:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
if (port->keepalives_idle != 0)
|
|
|
|
|
return port->keepalives_idle;
|
|
|
|
|
|
|
|
|
|
if (port->default_keepalives_idle == 0)
|
|
|
|
|
{
|
2010-07-08 12:20:14 +02:00
|
|
|
#ifndef WIN32
|
2021-11-09 15:20:47 +01:00
|
|
|
socklen_t size = sizeof(port->default_keepalives_idle);
|
2005-09-12 04:26:33 +02:00
|
|
|
|
2017-06-28 18:30:16 +02:00
|
|
|
if (getsockopt(port->sock, IPPROTO_TCP, PG_TCP_KEEPALIVE_IDLE,
|
2017-06-28 00:47:57 +02:00
|
|
|
(char *) &port->default_keepalives_idle,
|
|
|
|
|
&size) < 0)
|
|
|
|
|
{
|
2020-12-04 14:25:23 +01:00
|
|
|
ereport(LOG,
|
2021-04-23 14:18:11 +02:00
|
|
|
(errmsg("%s(%s) failed: %m", "getsockopt", PG_TCP_KEEPALIVE_IDLE_STR)));
|
2017-06-28 00:47:57 +02:00
|
|
|
port->default_keepalives_idle = -1; /* don't know */
|
|
|
|
|
}
|
2010-07-08 12:20:14 +02:00
|
|
|
#else /* WIN32 */
|
|
|
|
|
/* We can't get the defaults on Windows, so return "don't know" */
|
|
|
|
|
port->default_keepalives_idle = -1;
|
|
|
|
|
#endif /* WIN32 */
|
2005-07-30 17:17:26 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return port->default_keepalives_idle;
|
|
|
|
|
#else
|
|
|
|
|
return 0;
|
|
|
|
|
#endif
|
|
|
|
|
}
|
2005-09-12 04:26:33 +02:00
|
|
|
|
2005-07-30 17:17:26 +02:00
|
|
|
int
|
|
|
|
|
pq_setkeepalivesidle(int idle, Port *port)
|
|
|
|
|
{
|
2022-02-15 10:03:52 +01:00
|
|
|
if (port == NULL || port->laddr.addr.ss_family == AF_UNIX)
|
2005-07-30 17:17:26 +02:00
|
|
|
return STATUS_OK;
|
|
|
|
|
|
2017-06-28 00:47:57 +02:00
|
|
|
/* check SIO_KEEPALIVE_VALS here, not just WIN32, as some toolchains lack it */
|
2017-06-28 18:30:16 +02:00
|
|
|
#if defined(PG_TCP_KEEPALIVE_IDLE) || defined(SIO_KEEPALIVE_VALS)
|
2005-07-30 17:17:26 +02:00
|
|
|
if (idle == port->keepalives_idle)
|
|
|
|
|
return STATUS_OK;
|
|
|
|
|
|
2010-07-08 12:20:14 +02:00
|
|
|
#ifndef WIN32
|
2005-09-12 04:26:33 +02:00
|
|
|
if (port->default_keepalives_idle <= 0)
|
2005-07-30 17:17:26 +02:00
|
|
|
{
|
|
|
|
|
if (pq_getkeepalivesidle(port) < 0)
|
2005-09-12 04:26:33 +02:00
|
|
|
{
|
|
|
|
|
if (idle == 0)
|
|
|
|
|
return STATUS_OK; /* default is set but unknown */
|
|
|
|
|
else
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2005-07-30 17:17:26 +02:00
|
|
|
}
|
2005-09-12 04:26:33 +02:00
|
|
|
|
2005-07-30 17:17:26 +02:00
|
|
|
if (idle == 0)
|
|
|
|
|
idle = port->default_keepalives_idle;
|
|
|
|
|
|
2017-06-28 18:30:16 +02:00
|
|
|
if (setsockopt(port->sock, IPPROTO_TCP, PG_TCP_KEEPALIVE_IDLE,
|
2017-06-28 00:47:57 +02:00
|
|
|
(char *) &idle, sizeof(idle)) < 0)
|
|
|
|
|
{
|
2020-12-04 14:25:23 +01:00
|
|
|
ereport(LOG,
|
2021-04-23 14:18:11 +02:00
|
|
|
(errmsg("%s(%s) failed: %m", "setsockopt", PG_TCP_KEEPALIVE_IDLE_STR)));
|
2017-06-28 00:47:57 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2005-07-30 17:17:26 +02:00
|
|
|
|
|
|
|
|
port->keepalives_idle = idle;
|
2010-07-08 12:20:14 +02:00
|
|
|
#else /* WIN32 */
|
|
|
|
|
return pq_setkeepaliveswin32(port, idle, port->keepalives_interval);
|
|
|
|
|
#endif
|
2017-06-28 18:30:16 +02:00
|
|
|
#else
|
2005-07-30 17:17:26 +02:00
|
|
|
if (idle != 0)
|
|
|
|
|
{
|
2020-12-04 14:25:23 +01:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("setting the keepalive idle time is not supported")));
|
2005-07-30 17:17:26 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2017-06-28 18:30:16 +02:00
|
|
|
|
2005-07-30 17:17:26 +02:00
|
|
|
return STATUS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
|
pq_getkeepalivesinterval(Port *port)
|
|
|
|
|
{
|
2010-07-08 18:19:50 +02:00
|
|
|
#if defined(TCP_KEEPINTVL) || defined(SIO_KEEPALIVE_VALS)
|
2022-02-15 10:03:52 +01:00
|
|
|
if (port == NULL || port->laddr.addr.ss_family == AF_UNIX)
|
2005-07-30 17:17:26 +02:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
if (port->keepalives_interval != 0)
|
|
|
|
|
return port->keepalives_interval;
|
|
|
|
|
|
|
|
|
|
if (port->default_keepalives_interval == 0)
|
|
|
|
|
{
|
2010-07-08 12:20:14 +02:00
|
|
|
#ifndef WIN32
|
2021-11-09 15:20:47 +01:00
|
|
|
socklen_t size = sizeof(port->default_keepalives_interval);
|
2005-09-12 04:26:33 +02:00
|
|
|
|
2005-07-30 22:28:20 +02:00
|
|
|
if (getsockopt(port->sock, IPPROTO_TCP, TCP_KEEPINTVL,
|
2005-09-12 04:26:33 +02:00
|
|
|
(char *) &port->default_keepalives_interval,
|
2005-07-30 17:17:26 +02:00
|
|
|
&size) < 0)
|
|
|
|
|
{
|
2020-12-04 14:25:23 +01:00
|
|
|
ereport(LOG,
|
2021-04-23 14:18:11 +02:00
|
|
|
(errmsg("%s(%s) failed: %m", "getsockopt", "TCP_KEEPINTVL")));
|
2005-09-12 04:26:33 +02:00
|
|
|
port->default_keepalives_interval = -1; /* don't know */
|
2005-07-30 17:17:26 +02:00
|
|
|
}
|
2010-07-08 12:20:14 +02:00
|
|
|
#else
|
|
|
|
|
/* We can't get the defaults on Windows, so return "don't know" */
|
|
|
|
|
port->default_keepalives_interval = -1;
|
|
|
|
|
#endif /* WIN32 */
|
2005-07-30 17:17:26 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return port->default_keepalives_interval;
|
|
|
|
|
#else
|
|
|
|
|
return 0;
|
|
|
|
|
#endif
|
|
|
|
|
}
|
2005-09-12 04:26:33 +02:00
|
|
|
|
2005-07-30 17:17:26 +02:00
|
|
|
int
|
|
|
|
|
pq_setkeepalivesinterval(int interval, Port *port)
|
|
|
|
|
{
|
2022-02-15 10:03:52 +01:00
|
|
|
if (port == NULL || port->laddr.addr.ss_family == AF_UNIX)
|
2005-07-30 17:17:26 +02:00
|
|
|
return STATUS_OK;
|
|
|
|
|
|
2017-06-28 00:47:57 +02:00
|
|
|
#if defined(TCP_KEEPINTVL) || defined(SIO_KEEPALIVE_VALS)
|
2005-07-30 17:17:26 +02:00
|
|
|
if (interval == port->keepalives_interval)
|
|
|
|
|
return STATUS_OK;
|
|
|
|
|
|
2010-07-08 12:20:14 +02:00
|
|
|
#ifndef WIN32
|
2005-09-12 04:26:33 +02:00
|
|
|
if (port->default_keepalives_interval <= 0)
|
|
|
|
|
{
|
2005-07-30 17:17:26 +02:00
|
|
|
if (pq_getkeepalivesinterval(port) < 0)
|
2005-09-12 04:26:33 +02:00
|
|
|
{
|
|
|
|
|
if (interval == 0)
|
|
|
|
|
return STATUS_OK; /* default is set but unknown */
|
|
|
|
|
else
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2005-07-30 17:17:26 +02:00
|
|
|
}
|
2005-09-12 04:26:33 +02:00
|
|
|
|
2005-07-30 17:17:26 +02:00
|
|
|
if (interval == 0)
|
|
|
|
|
interval = port->default_keepalives_interval;
|
|
|
|
|
|
2005-07-30 22:28:20 +02:00
|
|
|
if (setsockopt(port->sock, IPPROTO_TCP, TCP_KEEPINTVL,
|
2005-07-30 17:17:26 +02:00
|
|
|
(char *) &interval, sizeof(interval)) < 0)
|
|
|
|
|
{
|
2020-12-04 14:25:23 +01:00
|
|
|
ereport(LOG,
|
2021-04-23 14:18:11 +02:00
|
|
|
(errmsg("%s(%s) failed: %m", "setsockopt", "TCP_KEEPINTVL")));
|
2005-07-30 17:17:26 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
port->keepalives_interval = interval;
|
2010-07-08 12:20:14 +02:00
|
|
|
#else /* WIN32 */
|
|
|
|
|
return pq_setkeepaliveswin32(port, port->keepalives_idle, interval);
|
|
|
|
|
#endif
|
2005-07-30 17:17:26 +02:00
|
|
|
#else
|
|
|
|
|
if (interval != 0)
|
|
|
|
|
{
|
2020-12-04 14:25:23 +01:00
|
|
|
ereport(LOG,
|
2021-04-23 14:18:11 +02:00
|
|
|
(errmsg("%s(%s) not supported", "setsockopt", "TCP_KEEPINTVL")));
|
2005-07-30 17:17:26 +02:00
|
|
|
return STATUS_ERROR;
|
2005-09-12 04:26:33 +02:00
|
|
|
}
|
2005-07-30 17:17:26 +02:00
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
return STATUS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
|
pq_getkeepalivescount(Port *port)
|
|
|
|
|
{
|
|
|
|
|
#ifdef TCP_KEEPCNT
|
2022-02-15 10:03:52 +01:00
|
|
|
if (port == NULL || port->laddr.addr.ss_family == AF_UNIX)
|
2005-07-30 17:17:26 +02:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
if (port->keepalives_count != 0)
|
|
|
|
|
return port->keepalives_count;
|
|
|
|
|
|
|
|
|
|
if (port->default_keepalives_count == 0)
|
|
|
|
|
{
|
2021-11-09 15:20:47 +01:00
|
|
|
socklen_t size = sizeof(port->default_keepalives_count);
|
2005-09-12 04:26:33 +02:00
|
|
|
|
2005-07-30 22:28:20 +02:00
|
|
|
if (getsockopt(port->sock, IPPROTO_TCP, TCP_KEEPCNT,
|
2005-09-12 04:26:33 +02:00
|
|
|
(char *) &port->default_keepalives_count,
|
2005-07-30 17:17:26 +02:00
|
|
|
&size) < 0)
|
|
|
|
|
{
|
2020-12-04 14:25:23 +01:00
|
|
|
ereport(LOG,
|
2021-04-23 14:18:11 +02:00
|
|
|
(errmsg("%s(%s) failed: %m", "getsockopt", "TCP_KEEPCNT")));
|
2005-09-12 04:26:33 +02:00
|
|
|
port->default_keepalives_count = -1; /* don't know */
|
2005-07-30 17:17:26 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return port->default_keepalives_count;
|
|
|
|
|
#else
|
|
|
|
|
return 0;
|
|
|
|
|
#endif
|
|
|
|
|
}
|
2005-09-12 04:26:33 +02:00
|
|
|
|
2005-07-30 17:17:26 +02:00
|
|
|
int
|
|
|
|
|
pq_setkeepalivescount(int count, Port *port)
|
|
|
|
|
{
|
2022-02-15 10:03:52 +01:00
|
|
|
if (port == NULL || port->laddr.addr.ss_family == AF_UNIX)
|
2005-07-30 17:17:26 +02:00
|
|
|
return STATUS_OK;
|
|
|
|
|
|
2010-03-13 17:56:37 +01:00
|
|
|
#ifdef TCP_KEEPCNT
|
2005-07-30 17:17:26 +02:00
|
|
|
if (count == port->keepalives_count)
|
|
|
|
|
return STATUS_OK;
|
|
|
|
|
|
2005-09-12 04:26:33 +02:00
|
|
|
if (port->default_keepalives_count <= 0)
|
|
|
|
|
{
|
2005-07-30 17:17:26 +02:00
|
|
|
if (pq_getkeepalivescount(port) < 0)
|
2005-09-12 04:26:33 +02:00
|
|
|
{
|
|
|
|
|
if (count == 0)
|
|
|
|
|
return STATUS_OK; /* default is set but unknown */
|
|
|
|
|
else
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2005-07-30 17:17:26 +02:00
|
|
|
}
|
2005-09-12 04:26:33 +02:00
|
|
|
|
2005-07-30 17:17:26 +02:00
|
|
|
if (count == 0)
|
|
|
|
|
count = port->default_keepalives_count;
|
|
|
|
|
|
2005-07-30 22:28:20 +02:00
|
|
|
if (setsockopt(port->sock, IPPROTO_TCP, TCP_KEEPCNT,
|
2005-07-30 17:17:26 +02:00
|
|
|
(char *) &count, sizeof(count)) < 0)
|
|
|
|
|
{
|
2020-12-04 14:25:23 +01:00
|
|
|
ereport(LOG,
|
2021-04-23 14:18:11 +02:00
|
|
|
(errmsg("%s(%s) failed: %m", "setsockopt", "TCP_KEEPCNT")));
|
2005-07-30 17:17:26 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
port->keepalives_count = count;
|
|
|
|
|
#else
|
|
|
|
|
if (count != 0)
|
|
|
|
|
{
|
2020-12-04 14:25:23 +01:00
|
|
|
ereport(LOG,
|
2021-04-23 14:18:11 +02:00
|
|
|
(errmsg("%s(%s) not supported", "setsockopt", "TCP_KEEPCNT")));
|
2005-07-30 17:17:26 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
return STATUS_OK;
|
|
|
|
|
}
|
Add support TCP user timeout in libpq and the backend server
Similarly to the set of parameters for keepalive, a connection parameter
for libpq is added as well as a backend GUC, called tcp_user_timeout.
Increasing the TCP user timeout is useful to allow a connection to
survive extended periods without end-to-end connection, and decreasing
it allows application to fail faster. By default, the parameter is 0,
which makes the connection use the system default, and follows a logic
close to the keepalive parameters in its handling. When connecting
through a Unix-socket domain, the parameters have no effect.
Author: Ryohei Nagaura
Reviewed-by: Fabien Coelho, Robert Haas, Kyotaro Horiguchi, Kirk
Jamison, Mikalai Keida, Takayuki Tsunakawa, Andrei Yahorau
Discussion: https://postgr.es/m/EDA4195584F5064680D8130B1CA91C45367328@G01JPEXMBYT04
2019-04-06 08:23:37 +02:00
|
|
|
|
|
|
|
|
int
|
|
|
|
|
pq_gettcpusertimeout(Port *port)
|
|
|
|
|
{
|
|
|
|
|
#ifdef TCP_USER_TIMEOUT
|
2022-02-15 10:03:52 +01:00
|
|
|
if (port == NULL || port->laddr.addr.ss_family == AF_UNIX)
|
Add support TCP user timeout in libpq and the backend server
Similarly to the set of parameters for keepalive, a connection parameter
for libpq is added as well as a backend GUC, called tcp_user_timeout.
Increasing the TCP user timeout is useful to allow a connection to
survive extended periods without end-to-end connection, and decreasing
it allows application to fail faster. By default, the parameter is 0,
which makes the connection use the system default, and follows a logic
close to the keepalive parameters in its handling. When connecting
through a Unix-socket domain, the parameters have no effect.
Author: Ryohei Nagaura
Reviewed-by: Fabien Coelho, Robert Haas, Kyotaro Horiguchi, Kirk
Jamison, Mikalai Keida, Takayuki Tsunakawa, Andrei Yahorau
Discussion: https://postgr.es/m/EDA4195584F5064680D8130B1CA91C45367328@G01JPEXMBYT04
2019-04-06 08:23:37 +02:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
if (port->tcp_user_timeout != 0)
|
|
|
|
|
return port->tcp_user_timeout;
|
|
|
|
|
|
|
|
|
|
if (port->default_tcp_user_timeout == 0)
|
|
|
|
|
{
|
2021-11-09 15:20:47 +01:00
|
|
|
socklen_t size = sizeof(port->default_tcp_user_timeout);
|
Add support TCP user timeout in libpq and the backend server
Similarly to the set of parameters for keepalive, a connection parameter
for libpq is added as well as a backend GUC, called tcp_user_timeout.
Increasing the TCP user timeout is useful to allow a connection to
survive extended periods without end-to-end connection, and decreasing
it allows application to fail faster. By default, the parameter is 0,
which makes the connection use the system default, and follows a logic
close to the keepalive parameters in its handling. When connecting
through a Unix-socket domain, the parameters have no effect.
Author: Ryohei Nagaura
Reviewed-by: Fabien Coelho, Robert Haas, Kyotaro Horiguchi, Kirk
Jamison, Mikalai Keida, Takayuki Tsunakawa, Andrei Yahorau
Discussion: https://postgr.es/m/EDA4195584F5064680D8130B1CA91C45367328@G01JPEXMBYT04
2019-04-06 08:23:37 +02:00
|
|
|
|
|
|
|
|
if (getsockopt(port->sock, IPPROTO_TCP, TCP_USER_TIMEOUT,
|
|
|
|
|
(char *) &port->default_tcp_user_timeout,
|
|
|
|
|
&size) < 0)
|
|
|
|
|
{
|
2020-12-04 14:25:23 +01:00
|
|
|
ereport(LOG,
|
2021-04-23 14:18:11 +02:00
|
|
|
(errmsg("%s(%s) failed: %m", "getsockopt", "TCP_USER_TIMEOUT")));
|
Add support TCP user timeout in libpq and the backend server
Similarly to the set of parameters for keepalive, a connection parameter
for libpq is added as well as a backend GUC, called tcp_user_timeout.
Increasing the TCP user timeout is useful to allow a connection to
survive extended periods without end-to-end connection, and decreasing
it allows application to fail faster. By default, the parameter is 0,
which makes the connection use the system default, and follows a logic
close to the keepalive parameters in its handling. When connecting
through a Unix-socket domain, the parameters have no effect.
Author: Ryohei Nagaura
Reviewed-by: Fabien Coelho, Robert Haas, Kyotaro Horiguchi, Kirk
Jamison, Mikalai Keida, Takayuki Tsunakawa, Andrei Yahorau
Discussion: https://postgr.es/m/EDA4195584F5064680D8130B1CA91C45367328@G01JPEXMBYT04
2019-04-06 08:23:37 +02:00
|
|
|
port->default_tcp_user_timeout = -1; /* don't know */
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return port->default_tcp_user_timeout;
|
|
|
|
|
#else
|
|
|
|
|
return 0;
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
|
pq_settcpusertimeout(int timeout, Port *port)
|
|
|
|
|
{
|
2022-02-15 10:03:52 +01:00
|
|
|
if (port == NULL || port->laddr.addr.ss_family == AF_UNIX)
|
Add support TCP user timeout in libpq and the backend server
Similarly to the set of parameters for keepalive, a connection parameter
for libpq is added as well as a backend GUC, called tcp_user_timeout.
Increasing the TCP user timeout is useful to allow a connection to
survive extended periods without end-to-end connection, and decreasing
it allows application to fail faster. By default, the parameter is 0,
which makes the connection use the system default, and follows a logic
close to the keepalive parameters in its handling. When connecting
through a Unix-socket domain, the parameters have no effect.
Author: Ryohei Nagaura
Reviewed-by: Fabien Coelho, Robert Haas, Kyotaro Horiguchi, Kirk
Jamison, Mikalai Keida, Takayuki Tsunakawa, Andrei Yahorau
Discussion: https://postgr.es/m/EDA4195584F5064680D8130B1CA91C45367328@G01JPEXMBYT04
2019-04-06 08:23:37 +02:00
|
|
|
return STATUS_OK;
|
|
|
|
|
|
|
|
|
|
#ifdef TCP_USER_TIMEOUT
|
|
|
|
|
if (timeout == port->tcp_user_timeout)
|
|
|
|
|
return STATUS_OK;
|
|
|
|
|
|
|
|
|
|
if (port->default_tcp_user_timeout <= 0)
|
|
|
|
|
{
|
|
|
|
|
if (pq_gettcpusertimeout(port) < 0)
|
|
|
|
|
{
|
|
|
|
|
if (timeout == 0)
|
|
|
|
|
return STATUS_OK; /* default is set but unknown */
|
|
|
|
|
else
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (timeout == 0)
|
|
|
|
|
timeout = port->default_tcp_user_timeout;
|
|
|
|
|
|
|
|
|
|
if (setsockopt(port->sock, IPPROTO_TCP, TCP_USER_TIMEOUT,
|
|
|
|
|
(char *) &timeout, sizeof(timeout)) < 0)
|
|
|
|
|
{
|
2020-12-04 14:25:23 +01:00
|
|
|
ereport(LOG,
|
2021-04-23 14:18:11 +02:00
|
|
|
(errmsg("%s(%s) failed: %m", "setsockopt", "TCP_USER_TIMEOUT")));
|
Add support TCP user timeout in libpq and the backend server
Similarly to the set of parameters for keepalive, a connection parameter
for libpq is added as well as a backend GUC, called tcp_user_timeout.
Increasing the TCP user timeout is useful to allow a connection to
survive extended periods without end-to-end connection, and decreasing
it allows application to fail faster. By default, the parameter is 0,
which makes the connection use the system default, and follows a logic
close to the keepalive parameters in its handling. When connecting
through a Unix-socket domain, the parameters have no effect.
Author: Ryohei Nagaura
Reviewed-by: Fabien Coelho, Robert Haas, Kyotaro Horiguchi, Kirk
Jamison, Mikalai Keida, Takayuki Tsunakawa, Andrei Yahorau
Discussion: https://postgr.es/m/EDA4195584F5064680D8130B1CA91C45367328@G01JPEXMBYT04
2019-04-06 08:23:37 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
port->tcp_user_timeout = timeout;
|
|
|
|
|
#else
|
|
|
|
|
if (timeout != 0)
|
|
|
|
|
{
|
2020-12-04 14:25:23 +01:00
|
|
|
ereport(LOG,
|
2021-04-23 14:18:11 +02:00
|
|
|
(errmsg("%s(%s) not supported", "setsockopt", "TCP_USER_TIMEOUT")));
|
Add support TCP user timeout in libpq and the backend server
Similarly to the set of parameters for keepalive, a connection parameter
for libpq is added as well as a backend GUC, called tcp_user_timeout.
Increasing the TCP user timeout is useful to allow a connection to
survive extended periods without end-to-end connection, and decreasing
it allows application to fail faster. By default, the parameter is 0,
which makes the connection use the system default, and follows a logic
close to the keepalive parameters in its handling. When connecting
through a Unix-socket domain, the parameters have no effect.
Author: Ryohei Nagaura
Reviewed-by: Fabien Coelho, Robert Haas, Kyotaro Horiguchi, Kirk
Jamison, Mikalai Keida, Takayuki Tsunakawa, Andrei Yahorau
Discussion: https://postgr.es/m/EDA4195584F5064680D8130B1CA91C45367328@G01JPEXMBYT04
2019-04-06 08:23:37 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
return STATUS_OK;
|
|
|
|
|
}
|
2021-04-02 21:52:30 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Check if the client is still connected.
|
|
|
|
|
*/
|
|
|
|
|
bool
|
|
|
|
|
pq_check_connection(void)
|
|
|
|
|
{
|
2022-02-14 04:29:44 +01:00
|
|
|
WaitEvent events[FeBeWaitSetNEvents];
|
2021-04-02 21:52:30 +02:00
|
|
|
int rc;
|
|
|
|
|
|
2022-02-14 04:29:44 +01:00
|
|
|
/*
|
|
|
|
|
* It's OK to modify the socket event filter without restoring, because
|
|
|
|
|
* all FeBeWaitSet socket wait sites do the same.
|
|
|
|
|
*/
|
|
|
|
|
ModifyWaitEvent(FeBeWaitSet, FeBeWaitSetSocketPos, WL_SOCKET_CLOSED, NULL);
|
2021-04-02 21:52:30 +02:00
|
|
|
|
2022-02-14 04:29:44 +01:00
|
|
|
retry:
|
|
|
|
|
rc = WaitEventSetWait(FeBeWaitSet, 0, events, lengthof(events), 0);
|
|
|
|
|
for (int i = 0; i < rc; ++i)
|
2021-04-02 21:52:30 +02:00
|
|
|
{
|
2022-02-14 04:29:44 +01:00
|
|
|
if (events[i].events & WL_SOCKET_CLOSED)
|
|
|
|
|
return false;
|
|
|
|
|
if (events[i].events & WL_LATCH_SET)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* A latch event might be preventing other events from being
|
|
|
|
|
* reported. Reset it and poll again. No need to restore it
|
|
|
|
|
* because no code should expect latches to survive across
|
|
|
|
|
* CHECK_FOR_INTERRUPTS().
|
|
|
|
|
*/
|
|
|
|
|
ResetLatch(MyLatch);
|
|
|
|
|
goto retry;
|
|
|
|
|
}
|
2021-04-02 21:52:30 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
