Misleading API in netdev driver

[maribu]

Problem Description

The int (*recv )(netdev_t *dev, void *buf, size_t len, void *info) member in netdev_driver_t (see Doxygen) is a textbook example of a misleading API:

1. The function does three completely different things depending on arguments:
   • Receive the message and return its size, if buf != NULL
   • Returns the message size of the incoming message if (buf == NULL) && (len == 0)
   • Drops the incoming message if (buf == NULL) && (len != 0)
2. The function name only reflects one of the three cases
3. One of the three cases is a corner case (the drop packet case only occurs under high load), so a bug is going to be unnoticed for quite some time

Symptopms

This misleading API already lead to a bug #9784. I predict similar bugs will show up in the future, if the API is not changed. Update: Many similar bugs were found, see #9832

Suggestions to Address the Problem

1. Split the function into three functions (e.g. recv(), get_size() and drop()). This would be the cleanest API, but the ROM size of the implementation is likely to increase, as all three will share some common code. (I assume the compiler will inline the common code when implemented in separate functions, so even when no duplicate C code is present, the ROM size will likely grow.)
   • Pros:
     • Cleanest API: Reviewers and implementers will no longer easily forget about the size/drop features
     • Checking for missing size/drop implementations possible by an assert
     • No increase in runtime overhead or RAM (barely measurable speedup expected by not longer needing conditional jumps)
     • Biggest increase in code readability (control flow simplified, functions get shorter, function names match their intention, header parsing will be moved to short static functions)
   • Cons:
     • Biggest ROM increase compared to other approaches expected
     • Biggest increase in lines of code
2. Rename the function, e.g. to recv_or_size_or_drop(). While this name is very clumsy, at least it is very obvious that this functions has to implement three different things.
   • Pro:
     • No increase in RAM/ROM usage and runtime overhead
   • Cons:
     • Only cosmetic, does not really address the problem
     • Unclean API
3. Add an additional parameter (e.g. an enum) to specify which of the three things the function should do. This would be much more obvious to the programmer, even though a bit wasteful
   • Pros:
     • No increase in ROM usage (and likely in RAM usage, if increased stack usage does not result in higher stack sizes being used)
     • Compiler helps implementer if both size and drop is forgotten (unused argument)
   • Cons:
     • Unclean API
     • Slight increase in runtime (barely measurable)
4. Like 1., but only split off drop and keep size in recv
   • Pros:
     • Only change that part of the API that was affected by bugs so far
     • Less ROM overhead and lines of code than 1.
   • Cons:
     • Still only slightly less unclean API
     • Compared to 1. most of the ROM / lines of code increase is already been paid, so why not pay the rest and get a clean API
5. Add static inline functions to increase readability: In the upper layers add wrappers to call the size and drop feature od the recv function more explicitly; in the lower layers to test for the drop/size/recv mode more readable
   • Pros:
     • No increase in RAM/ROM usage and runtime overhead
     • Correct recv implementations and upper layer code gets more readible
   • Cons:
     • Unclean API
     • The problem is (mostly) about incorrect lower layer implementations, this change does not help much here

[jnohlgard]

I agree that this is a problem, it is also easy for the maintainers to overlook missing functionality when reviewing a new network driver because dropping the packet is a corner case and is not used very often in many simple lab tests. I don't know which solution is the best though. It would take some effort to refactor all drivers to an API change, so it's best if we discuss the potential solutions some more before beginning to change the code.

[maribu]

Also, there may be more than the three options that came to my mind. Maybe in the course of a discussion a better solution will be proposed than the three suggestions.

The suggestion 2 would be relatively cheap in terms of work required. I personally favor suggestion 1, as it is the most obvious API. This would make it easier for newbies to understand and for reviews to review. But that one would require the most work :-(

[jnohlgard]

My personal preference is splitting the API into three functions. The drivers can still use the same implementation behind the scenes, but it will be more clear when one function is missing.

[jia200x]

My personal preference is splitting the API into three functions. The drivers can still use the same implementation behind the scenes, but it will be more clear when one function is missing.

I also think so! It improves code readability

[maribu]

To push the discussion further I opened a PR implementing three separate functions approach. By adding a two glue functions driver implementing the old API are "converted" to the new one. This allows to gradually port the drivers to the new API.

[haukepetersen]

I agree that the design of the recv function is not the most beautiful API we have in RIOT. But as netdev is one of our core interfaces and being very low level, efficiency is extremely important here, and that is what was driving the 'overloading' of this function in the first place. IMO it is not an option here, to spend the extra amount of memory for addtional function pointers, just because it is slightly nicer to read!

I think option 5 would be quite a nice addition (at is completely transparent both to usage and resource usage). Tackling the issue of driver not fully implementing these three behaviors, adding explicit checks for this on the netdev checklist as given in https://github.com/RIOT-OS/RIOT/wiki/Guide:-Writing-a-device-driver-in-RIOT should help.

[maribu]

@haukepeterson: I think you got some facts wrong.

I assume by efficiency you mean how much cpu time a driver spents on handling recv/drop/size features of the netdev_driver_t interface. There is practically no difference between all approaches. (Theoretically splitting the recv function implementing the recv, drop and size feature as separate functions is faster by dropping the if-statement and the additional parameter of approach 3 will be slower. But practically it will be challenging to just measure the difference.) So efficiency as criteria is not helpful here, as there is practically no difference.

Regarding memory (= RAM) usage: Again, there is no difference. (Theoretically approach 3. needs 1-4 bytes more stack which could lead to the stack size needing to be increased, but practically this won't be the case.) So again, a good criteria, but not helpful here.

The really relevant tradeoff here is ROM size vs. (un-)clean API (and the security and maintainability implications of an (un-)clean API).

the extra amount of memory for addtional function pointers,

The majority of the ROM increase is not due to the function pointers, but the duplicated machine code (as the compiler inlines static helper functions used in all three cases). For instance, the ROM increase is 146 Bytes in case of the enc28j60 driver (see discussion in #9832 for details).

But as netdev is one of our core interfaces and being very low level [...]

This argument is often brought up, as its logic flaw is easily made. If internal code is hard to maintain/read/debug/review, all code using it directly or indirectly is affected by all the easily avoided bugs introduced this way. Also, fewer eyes reviews internal, low-level code, so that corner case bugs easily go unnoticed for quite some time. And from many, many hours of debugging I know for sure that internal low level functions that are in use for ages are the very last place to look at when debugging, so avoiding bugs there is much more worth than in more exposed positions.

just because it is slightly nicer to read!

You missed the point. The recv API is a textbook example of an misleading API. As result, a lot of bugs (missing drop implementation and missing size implementation without appropriate documentation/asserts) were introduced in RIOT (see all the FIXME comments in #9832). The missing drop implementation is not only easily overlooked by the person implementing a new driver, but also by the one reviewing it.

And to put this very clearly: The missing drop implementation is trivially and remotely exploitable denial of service vulnerability. (E.g. see the "ping of death" @gschorcht describes here #9806.) Similar bugs in Linux would get CVE numbers and the whole insane security circus (a catchy name, a logo, a web page and maybe even a franchise shop). My point is: Those bugs are extremely relevant for any serious use of RIOT and preventing that this type of bug reappears in any future netdev_driver implementation has a huge value.

A clean API is a huge step to make this kind of vulnerability less likely to pop up again in the future and I personally would not hastitate to "pay" 146 Bytes of ROM size for that.

Also, let me proof the following sentence wrong:

In case of the netdev_driver_t API, compact ROM size is generally more relevant than a clean API

We could easily save more ROM size replacing all function pointers in netdev_driver_t by a single handle_everything () function pointer. The additional required if-statements would consume about as much ROM as the removed function pointers safe, but the common locking/unlocking code would safe a few bytes of ROM for each function absorbed by handle_everything (). (And there might be more common code to eliminate as well.) Thus, this handle_everything ()-API would be more ROM efficient than current API. Yet, it is easy to see that this handle_everything ()-API would result in a unmaintainable mess. This reductio ad absurdo proves, that generally preferring ROM size over a clean API is wrong. (Of course, any concrete argument for this specific ROM vs readability tradeoff is not proved wrong.)

[maribu]

@OlegHahm, @miri64, @rousselk, @haukepetersen, @LudwigKnuepfer, @bergzand, @thomaseichinger, @smlng, @kaspar030, @PeterKietzmann, @mehlis, @BytesGalore, @kYc0o: You are listed as contributors to the cc2420 netdev_driver, which contains a critical DoS vulnerability which can easily be triggered by bringing RIOT in a low-memory state:

• The upper layer wants to get the size of the incoming packet. Instead of calling a size()-function, misleadingly the recv() function is called with buf == NULL and with len == 0. This is implemented correctly by the driver
• The upper layer tries to allocate a buffer big enough for that packet, but fails
• The upper layer wants the driver to drop the incoming packet. Instead of calling a drop()-function, misleadingly the recv() function is called with buf == NULL and with len > 0. This is not implemented, instead the size() facility of recv() is performed again. As a result, RIOT loops endlessly trying to drop that packet --> nothing else gets executed anymore and the board is to be powered off and on again.

Roughly every second RIOT netdev_driver has the same security hole. I reported this issue 6 weeks ago. I think its about time to attend to it and finally fix it: The very least that should be done is fixing the bugs in all affected drivers. Better would be to fix the underlying problem: The misleading netdev_driver API should be fixed by introducing a separate size() and drop() function, so that this bug gets not re-introduced with every new netdev_driver implemenation added to RIOT.

[maribu]

Also: In the decision is made to fix the API by splitting recv() into recv(), size() and drop(), then I'm very happy update my PR to include ports of every netdev_driver. (An then the compatibility layer could be removed from the PR as well.)