// Copyright (c) 2011 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "ipc/file_descriptor_set_posix.h"

#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>

#include "base/logging.h"
#include "base/posix/eintr_wrapper.h"

FileDescriptorSet::FileDescriptorSet()
    : consumed_descriptor_highwater_(0) {
}

FileDescriptorSet::~FileDescriptorSet() {
  if (consumed_descriptor_highwater_ == size())
    return;

  // We close all the owning descriptors. If this message should have
  // been transmitted, then closing those with close flags set mirrors
  // the expected behaviour.
  //
  // If this message was received with more descriptors than expected
  // (which could a DOS against the browser by a rogue renderer) then all
  // the descriptors have their close flag set and we free all the extra
  // kernel resources.
  LOG(WARNING) << "FileDescriptorSet destroyed with unconsumed descriptors: "
               << consumed_descriptor_highwater_ << "/" << size();
}

bool FileDescriptorSet::AddToBorrow(base::PlatformFile fd) {
  DCHECK_EQ(consumed_descriptor_highwater_, 0u);

  if (size() == kMaxDescriptorsPerMessage) {
    DLOG(WARNING) << "Cannot add file descriptor. FileDescriptorSet full.";
    return false;
  }

  descriptors_.push_back(fd);
  return true;
}

bool FileDescriptorSet::AddToOwn(base::ScopedFD fd) {
  DCHECK_EQ(consumed_descriptor_highwater_, 0u);

  if (size() == kMaxDescriptorsPerMessage) {
    DLOG(WARNING) << "Cannot add file descriptor. FileDescriptorSet full.";
    return false;
  }

  descriptors_.push_back(fd.get());
  owned_descriptors_.push_back(new base::ScopedFD(fd.Pass()));
  DCHECK(size() <= kMaxDescriptorsPerMessage);
  return true;
}

base::PlatformFile FileDescriptorSet::TakeDescriptorAt(unsigned index) {
  if (index >= size()) {
    DLOG(WARNING) << "Accessing out of bound index:"
                  << index << "/" << size();
    return -1;
  }


  // We should always walk the descriptors in order, so it's reasonable to
  // enforce this. Consider the case where a compromised renderer sends us
  // the following message:
  //
  //   ExampleMsg:
  //     num_fds:2 msg:FD(index = 1) control:SCM_RIGHTS {n, m}
  //
  // Here the renderer sent us a message which should have a descriptor, but
  // actually sent two in an attempt to fill our fd table and kill us. By
  // setting the index of the descriptor in the message to 1 (it should be
  // 0), we would record a highwater of 1 and then consider all the
  // descriptors to have been used.
  //
  // So we can either track of the use of each descriptor in a bitset, or we
  // can enforce that we walk the indexes strictly in order.
  //
  // There's one more wrinkle: When logging messages, we may reparse them. So
  // we have an exception: When the consumed_descriptor_highwater_ is at the
  // end of the array and index 0 is requested, we reset the highwater value.
  // TODO(morrita): This is absurd. This "wringle" disallow to introduce clearer
  // ownership model. Only client is NaclIPCAdapter. See crbug.com/415294
  if (index == 0 && consumed_descriptor_highwater_ == descriptors_.size())
    consumed_descriptor_highwater_ = 0;

  if (index != consumed_descriptor_highwater_)
    return -1;

  consumed_descriptor_highwater_ = index + 1;

  base::PlatformFile file = descriptors_[index];

  // TODO(morrita): In production, descriptors_.size() should be same as
  // owned_descriptors_.size() as all read descriptors are owned by Message.
  // We have to do this because unit test breaks this assumption. It should be
  // changed to exercise with own-able descriptors.
  for (ScopedVector<base::ScopedFD>::const_iterator i =
           owned_descriptors_.begin();
       i != owned_descriptors_.end();
       ++i) {
    if ((*i)->get() == file) {
      ignore_result((*i)->release());
      break;
    }
  }

  return file;
}

void FileDescriptorSet::PeekDescriptors(base::PlatformFile* buffer) const {
  std::copy(descriptors_.begin(), descriptors_.end(), buffer);
}

bool FileDescriptorSet::ContainsDirectoryDescriptor() const {
  struct stat st;

  for (std::vector<base::PlatformFile>::const_iterator i = descriptors_.begin();
       i != descriptors_.end();
       ++i) {
    if (fstat(*i, &st) == 0 && S_ISDIR(st.st_mode))
      return true;
  }

  return false;
}

void FileDescriptorSet::CommitAll() {
  descriptors_.clear();
  owned_descriptors_.clear();
  consumed_descriptor_highwater_ = 0;
}

void FileDescriptorSet::ReleaseFDsToClose(
    std::vector<base::PlatformFile>* fds) {
  for (ScopedVector<base::ScopedFD>::iterator i = owned_descriptors_.begin();
       i != owned_descriptors_.end();
       ++i) {
    fds->push_back((*i)->release());
  }

  CommitAll();
}

void FileDescriptorSet::AddDescriptorsToOwn(const base::PlatformFile* buffer,
                                            unsigned count) {
  DCHECK(count <= kMaxDescriptorsPerMessage);
  DCHECK_EQ(size(), 0u);
  DCHECK_EQ(consumed_descriptor_highwater_, 0u);

  descriptors_.reserve(count);
  owned_descriptors_.reserve(count);
  for (unsigned i = 0; i < count; ++i) {
    descriptors_.push_back(buffer[i]);
    owned_descriptors_.push_back(new base::ScopedFD(buffer[i]));
  }
}