This fixes several integer overflow problems in the POD parser, as well
as fixing a returns-twice warning from GCC and integer truncation
problems in SPA_FLAG_CLEAR and SPA_ROUND_DOWN_N. The integer overflows
can result in a tiny POD being treated as a huge one, causing
out-of-bounds reads.
We use the done event to send the object serial to the client. Use an
invalid object id for this and filter it out on the receiver or else
the client might get an unexpected done event.
Fixes#2253
Not all clients have an existing registry, and the registry generation
number will not be updated for them. However, we would like to check
for stale globals also elsewhere, eg. metadata, and it must work also
in this case.
To avoid failing to update client registry generation, on global
addition which the client would see if it had a registry, send done
message for the new global id instead.
Message footer should be handled before attempting to find the object
the main message is sent to / checking permissions, because it is not
aimed at a specific object. E.g. the registry generation updates should
be handled regardless of whether the main message is valid or not,
because the updates will not be re-sent.
Fixes registry generation updates sometimes going missing.
Some client messages have bare ids (as opposed to proxies/resources),
eg. as in pw_registry_bind/destroy. If the client is processing
messages late, these may refer to an object that was already removed,
and the id may now refers to a differnt objects. I.e. the following
race condition needs to be resolved:
server client
Global 1 (gen. 1)
Global 1
Global 1 remove
Global 1 (gen. 2)
Bind/destroy 1
Where the client would bind/destroy the wrong global, since it did not
yet see the messages for the second one.
To keep track of which object the client means, the server keeps track of
the "generation number" of its global registry, and what generation
the client is at.
Each global remembers at what generation of registry they were
registered. When processing the messages that use bare ids, check the
registry generation of the client, to know whether the message refers to
a stale global that was already removed.
Messages where client sends bare ids to server are:
pw_registry_bind, pw_registry_destroy, metadata_set_property
In pw_registry_* do the staleness check directly. Also add staleness
check in pw_impl_client_check_permissions, so that also the metadata
case is handled.
The generation numbers are passed around in message footers, but only if
they have changed. When the generation number changes on server, we
send the updated value to the client in a message footer. When client
has received an update value, it will send the value back in the footer
of the next message it sends to the server.
Based on: Wim Taymans <wtaymans@redhat.com> "impl-core: check serial number"
Extend version 3 protocol with message footers, which are for passing
around global state data that is not addressed to a specific object.
The extension is backward compatible with previous v3 clients, and won't
e.g. result to error spam in logs.
The footer is a single SPA POD, appended after the main message POD.
Because both the protocol message and the message POD record their
length, it's possible to append trailing data. Earlier clients will
ignore any data trailing the message POD.
The footer POD contains a sequence [Id opcode, Struct {...}]*,
so there is room to extend with new opcodes later as necessary.
There are separate marshal/demarshal routines for messages aimed at
resources and proxies.
Most feature checks already use #ifdef, and do not care about
the value of the macro. Convert all feature checks to do that,
and simplify the meson build scripts by replacing
if cond
cdata.set('X', 1)
endif
with
cdata.set('X', cond)
For now, put a limit on the amount of items we can send and receive
over the native protocol. A more complex way of allocating and freeing
can be implemented later when we really need to raise the limits.
Fixes#2070
At the moment, file descriptors may be leaked
due to a malicious/buggy client:
1. If the control messages have been truncated, some file descriptors
may still have been successfully transferred. Currently, seeing
the MSG_CTRUNC bit causes `refill_buffer()` to immediately return
-EPROTO without doing anything with the control messages, which
may contain file descriptors.
2. When there is no truncation, it is still possible that the current
batch of file descriptors causes the total file descriptor count
to go over the maximum number of fds for the given buffer (currently 1024).
In this case, too, `refill_buffer()` immediately returns -EPROTO
without closing the file descriptors that can not be saved.
Fix both of these cases by closing all file descriptors in all
remaining cmsgs when one of the mentioned conditions occur.
Given that 10-bit colour is now becoming supported on Wayland, PipeWire
should be able to represent all the possible colour formats in order
for screen capture to work.
This commit adds all possible orderings of 10-bit RGB channels and 2
extra bits used for nothing or alpha in little endian to enum
spa_video_format. Note that Wayland only uses little endian for its
10-bit colour formats, and these are not the same as the big endian
formats in reverse order.
This is more complicated than a normal module because we have two
logging topics: mod.protocol-native and conn.protocol-native for wire
messages. Because the latter use spa_debug (through spa_debug_pod) we
need to #define our way around so those too use the right topics.
Note that this removes the previous "connection" category, it is now
"conn.protocol-native" instead.
This test needs an environment set up to load everything correctly,
running it directly results in a segfault. Let's make sure we assert on
a NULL loop to make this look slightly more planned.
spa_strstartswith() is more immediately understandable.
Coccinelle spatch file:
@@
expression E1, E2;
@@
- strstr(E1, E2) != E1
+ !spa_strstartswith(E1, E2)
@@
expression E1, E2;
@@
- strstr(E1, E2) == E1
+ spa_strstartswith(E1, E2)
Applied to the tree except for alsa/acp/compat.h because it looks like
that header is still mostly as-is from PA.
Mark some structures, arrays static/const at various places.
In some cases this prevents unnecessary initialization
when a function is entered.
All in all, the text segments across all shared
libraries are reduced by about 2 KiB. However,
the total size increases by about 2 KiB as well.
This also brings the advantage that all tools, examples, modules, components
can also be compiled standalone out-of-tree using libpipewire from the system
We can't recover from truncated control data so return a fatal error
that should stop the client. Truncated control data can happen when
there are no more fds available, for example.
See #1305
SPA_MEMBER is misleading, all we're doing here is pointer+offset and a
type-casting the result. Rename to SPA_PTROFF which is more expressive (and
has the same number of characters so we don't need to re-indent).
Do not return an error immediately if connect() fails with EAGAIN. Check
if it completed successfully with getsockopt() when the socket becomes
writable instead.
This is the way to handle non-blocking connect() by the book but after
testing it seems that the case when connect() fails with EAGAIN is when
the listen backlog is full on the server side and in that case the
server socket is closed. So even though connect() completes successfully
according to getsockopt() the client socket is no longer usable
(on_remote_data() will get both SPA_IO_OUT and SPA_IO_HUP in mask on the
first call after connect() returned EAGAIN).
The branch should be taken if errno is neither EAGAIN,
nor EWOULDBLOCK.
Previously,
if (errno != EAGAIN || errno != EWOULDBLOCK)
would be taken for all values of errno if EAGAIN != EWOULDBLOCK.
(Except for the ones that are filtered out before.)
Fix that by changing `||` to `&&`.
The message structures returned by pw_protocol_native_connection_get_next
point to data that is contained in the buffer of the connection.
The data was invalidated when pw_protocol_native_connection_get_next was
called the next time, which made the connection loop non-reentrant, in
cases where it was re-entered from demarshal callbacks.
Fix this by allocating new buffers when reentering and stashing the old
buffers onto a stack. The returned message structure is also stored on
the stack to make lifetimes to match.
Make sure the hook lists are emptied so that the removed callbacks
are called. The callers should really remove the hook they installed
themselves but this is a last chance to fix things up.
Don't say that there is no runtime directory set when there is but
the server is not running.
Simplify things by first trying to connect to the user runtime directory
when set and then try the system directory. There is no need to manually
check the existance of the socket, connect wil that that and set the
appropriate error.
Add /run/pipewire to the list of runtime directories so that clients can
connect to the system service without specifying runtime directory.
If the otherwise chosen directory (e.g. the user home directory) doesn't
contain any socket but /run/pipewire does, the latter will be used.
This tool detects and fixes common English spelling mistakes, with
generally very few mistakes.
Here is the command I used to generate this commit. There were a few
changes that had to be done manually, and of course adding the ignore
file:
```shell
codespell -I .codespell-ignore -x .codespell-ignore -w
```
I didn’t add it to the CI, but this would be a good place for it.
PIPEWIRE_CORE can be used to specify a server name.
PIPEWIRE_REMOTE can be used to specify what server name to
connect to.
Either use the absolute path of the name to create and connect
to a server, or use a relative path. For a relative path, the
server name will be completed by prefixing the following paths
in order:
PIPEWIRE_RUNTIME_DIR environment variable,
XDG_RUNTIME_DIR environment variable,
HOME environment variable,
USERPROFILE environment variable,
home directory as stored in the password database.
Fixes#259
