On Thu, Jul 28, 2022 at 07:26:16AM -0500, Eric Blake wrote:
> On Wed, Jul 27, 2022 at 05:30:59PM +0100, Richard W.M. Jones wrote:
> > qemu-nbd doesn't call gnutls_bye to cleanly shut down the connection
> > after we send NBD_CMD_DISC. When copying from a qemu-nbd server (or
> > any operation which calls nbd_shutdown) you will see errors like this:
> >
> > $ nbdcopy nbds://foo?tls-certificates=/var/tmp/pki null:
> > nbds://foo?tls-certificates=/var/tmp/pki: nbd_shutdown:
> > gnutls_record_recv: The TLS connection was non-properly terminated.
> >
> > Relatedly you may also see:
> >
> > nbd_shutdown: gnutls_record_recv: Error in the pull function.
> >
> > This commit suppresses the error in the case where we know that we
> > have shut down writes (which happens after NBD_CMD_DISC has been sent
> > on the wire).
> > ---
> > interop/interop.c | 9 ---------
> > lib/crypto.c | 17 +++++++++++++++++
> > lib/internal.h | 1 +
> > 3 files changed, 18 insertions(+), 9 deletions(-)
> >
>
> > +++ b/lib/crypto.c
> > @@ -189,6 +189,22 @@ tls_recv (struct nbd_handle *h, struct socket *sock,
> > void *buf, size_t len)
> > errno = EAGAIN;
> > return -1;
> > }
> > + if (h->tls_shut_writes &&
> > + (r == GNUTLS_E_PULL_ERROR || r == GNUTLS_E_PREMATURE_TERMINATION))
> > {
> > + /* qemu-nbd doesn't call gnutls_bye to cleanly shut down the
> > + * connection after we send NBD_CMD_DISC, instead it simply
> > + * closes the connection. On the client side we see
> > + * "gnutls_record_recv: The TLS connection was non-properly
> > + * terminated" or "gnutls_record_recv: Error in the pull
> > + * function.".
> > + *
> > + * If we see these errors after we shut down the write side
> > + * (h->tls_shut_writes), which happens after we have sent
> > + * NBD_CMD_DISC on the wire, downgrade them to a debug message.
> > + */
> > + debug (h, "gnutls_record_recv: %s", gnutls_strerror (r));
> > + return 0; /* EOF */
> > + }
>
> Nice. These are still hard errors if we have not sent NBD_CMD_DISC
> (the connection disappearing while we are using it could be a MitM
> attacker), but once we know we are done talking, tolerating a server
> abruptly disappearing instead of gracefully leaving is desirable.
>
> Reviewed-by: Eric Blake <ebl...@redhat.com>
Thanks, this one (only) is upstream in ab470a70ca.
Also the associated bug is:
https://bugzilla.redhat.com/show_bug.cgi?id=2111813
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org
_______________________________________________
Libguestfs mailing list
Libguestfs@redhat.com
https://listman.redhat.com/mailman/listinfo/libguestfs
