8150234: Windows 10 App Containers disallow access to ICMP calls
authorrobm
Fri, 15 Apr 2016 14:29:02 +0100
changeset 37362 9b3486880437
parent 37361 a790f7bc3878
child 37363 329dba26ffd2
8150234: Windows 10 App Containers disallow access to ICMP calls Reviewed-by: chegar
jdk/src/java.base/windows/native/libnet/Inet4AddressImpl.c
jdk/src/java.base/windows/native/libnet/Inet6AddressImpl.c
--- a/jdk/src/java.base/windows/native/libnet/Inet4AddressImpl.c	Fri Apr 15 11:09:18 2016 +0000
+++ b/jdk/src/java.base/windows/native/libnet/Inet4AddressImpl.c	Fri Apr 15 14:29:02 2016 +0100
@@ -275,6 +275,151 @@
     return JNU_NewStringPlatform(env, hp->h_name);
 }
 
+static jboolean
+tcp_ping4(JNIEnv *env,
+          jbyteArray addrArray,
+          jint timeout,
+          jbyteArray ifArray,
+          jint ttl)
+{
+    jint addr;
+    jbyte caddr[4];
+    jint fd;
+    struct sockaddr_in him;
+    struct sockaddr_in* netif = NULL;
+    struct sockaddr_in inf;
+    int len = 0;
+    WSAEVENT hEvent;
+    int connect_rv = -1;
+    int sz;
+
+    /**
+     * Convert IP address from byte array to integer
+     */
+    sz = (*env)->GetArrayLength(env, addrArray);
+    if (sz != 4) {
+        return JNI_FALSE;
+    }
+    memset((char *) &him, 0, sizeof(him));
+    memset((char *) caddr, 0, sizeof(caddr));
+    (*env)->GetByteArrayRegion(env, addrArray, 0, 4, caddr);
+    addr = ((caddr[0]<<24) & 0xff000000);
+    addr |= ((caddr[1] <<16) & 0xff0000);
+    addr |= ((caddr[2] <<8) & 0xff00);
+    addr |= (caddr[3] & 0xff);
+    addr = htonl(addr);
+    /**
+     * Socket address
+     */
+    him.sin_addr.s_addr = addr;
+    him.sin_family = AF_INET;
+    len = sizeof(him);
+
+    /**
+     * If a network interface was specified, let's convert its address
+     * as well.
+     */
+    if (!(IS_NULL(ifArray))) {
+        memset((char *) caddr, 0, sizeof(caddr));
+        (*env)->GetByteArrayRegion(env, ifArray, 0, 4, caddr);
+        addr = ((caddr[0]<<24) & 0xff000000);
+        addr |= ((caddr[1] <<16) & 0xff0000);
+        addr |= ((caddr[2] <<8) & 0xff00);
+        addr |= (caddr[3] & 0xff);
+        addr = htonl(addr);
+        inf.sin_addr.s_addr = addr;
+        inf.sin_family = AF_INET;
+        inf.sin_port = 0;
+        netif = &inf;
+    }
+
+    /*
+     * Can't create a raw socket, so let's try a TCP socket
+     */
+    fd = NET_Socket(AF_INET, SOCK_STREAM, 0);
+    if (fd == -1) {
+        /* note: if you run out of fds, you may not be able to load
+         * the exception class, and get a NoClassDefFoundError
+         * instead.
+         */
+        NET_ThrowNew(env, WSAGetLastError(), "Can't create socket");
+        return JNI_FALSE;
+    }
+    if (ttl > 0) {
+        setsockopt(fd, IPPROTO_IP, IP_TTL, (const char *)&ttl, sizeof(ttl));
+    }
+    /*
+     * A network interface was specified, so let's bind to it.
+     */
+    if (netif != NULL) {
+        if (bind(fd, (struct sockaddr*)netif, sizeof(struct sockaddr_in)) < 0) {
+            NET_ThrowNew(env, WSAGetLastError(), "Can't bind socket");
+            closesocket(fd);
+            return JNI_FALSE;
+        }
+    }
+
+    /*
+     * Make the socket non blocking so we can use select/poll.
+     */
+    hEvent = WSACreateEvent();
+    WSAEventSelect(fd, hEvent, FD_READ|FD_CONNECT|FD_CLOSE);
+
+    /* no need to use NET_Connect as non-blocking */
+    him.sin_port = htons(7);    /* Echo */
+    connect_rv = connect(fd, (struct sockaddr *)&him, len);
+
+    /**
+     * connection established or refused immediately, either way it means
+     * we were able to reach the host!
+     */
+    if (connect_rv == 0 || WSAGetLastError() == WSAECONNREFUSED) {
+        WSACloseEvent(hEvent);
+        closesocket(fd);
+        return JNI_TRUE;
+    } else {
+        int optlen;
+
+        switch (WSAGetLastError()) {
+        case WSAEHOSTUNREACH:   /* Host Unreachable */
+        case WSAENETUNREACH:    /* Network Unreachable */
+        case WSAENETDOWN:       /* Network is down */
+        case WSAEPFNOSUPPORT:   /* Protocol Family unsupported */
+            WSACloseEvent(hEvent);
+            closesocket(fd);
+            return JNI_FALSE;
+        }
+
+        if (WSAGetLastError() != WSAEWOULDBLOCK) {
+            NET_ThrowByNameWithLastError(env, JNU_JAVANETPKG "ConnectException",
+                                         "connect failed");
+            WSACloseEvent(hEvent);
+            closesocket(fd);
+            return JNI_FALSE;
+        }
+
+        timeout = NET_Wait(env, fd, NET_WAIT_CONNECT, timeout);
+
+        /* has connection been established */
+
+        if (timeout >= 0) {
+            optlen = sizeof(connect_rv);
+            if (getsockopt(fd, SOL_SOCKET, SO_ERROR, (void*)&connect_rv,
+                           &optlen) <0) {
+                connect_rv = WSAGetLastError();
+            }
+
+            if (connect_rv == 0 || connect_rv == WSAECONNREFUSED) {
+                WSACloseEvent(hEvent);
+                closesocket(fd);
+                return JNI_TRUE;
+            }
+        }
+    }
+    WSACloseEvent(hEvent);
+    closesocket(fd);
+    return JNI_FALSE;
+}
 
 /**
  * ping implementation.
@@ -286,23 +431,17 @@
 ping4(JNIEnv *env,
       unsigned long src_addr,
       unsigned long dest_addr,
-      jint timeout)
+      jint timeout,
+      HANDLE hIcmpFile)
 {
     // See https://msdn.microsoft.com/en-us/library/aa366050%28VS.85%29.aspx
 
-    HANDLE hIcmpFile;
     DWORD dwRetVal = 0;
     char SendData[32] = {0};
     LPVOID ReplyBuffer = NULL;
     DWORD ReplySize = 0;
     jboolean ret = JNI_FALSE;
 
-    hIcmpFile = IcmpCreateFile();
-    if (hIcmpFile == INVALID_HANDLE_VALUE) {
-        NET_ThrowNew(env, WSAGetLastError(), "Unable to open handle");
-        return JNI_FALSE;
-    }
-
     ReplySize = sizeof(ICMP_ECHO_REPLY) + sizeof(SendData);
     ReplyBuffer = (VOID*) malloc(ReplySize);
     if (ReplyBuffer == NULL) {
@@ -366,6 +505,7 @@
     jint dest_addr = 0;
     jbyte caddr[4];
     int sz;
+    HANDLE hIcmpFile;
 
     /**
      * Convert IP address from byte array to integer
@@ -396,6 +536,18 @@
         src_addr = htonl(src_addr);
     }
 
-    return ping4(env, src_addr, dest_addr, timeout);
+    hIcmpFile = IcmpCreateFile();
+    if (hIcmpFile == INVALID_HANDLE_VALUE) {
+        int err = WSAGetLastError();
+        if (err == ERROR_ACCESS_DENIED) {
+            // fall back to TCP echo if access is denied to ICMP
+            return tcp_ping4(env, addrArray, timeout, ifArray, ttl);
+        } else {
+            NET_ThrowNew(env, err, "Unable to create ICMP file handle");
+            return JNI_FALSE;
+        }
+    } else {
+        return ping4(env, src_addr, dest_addr, timeout, hIcmpFile);
+    }
 }
 
--- a/jdk/src/java.base/windows/native/libnet/Inet6AddressImpl.c	Fri Apr 15 11:09:18 2016 +0000
+++ b/jdk/src/java.base/windows/native/libnet/Inet6AddressImpl.c	Fri Apr 15 14:29:02 2016 +0100
@@ -326,6 +326,109 @@
 
 #ifdef AF_INET6
 
+/**
+ * ping implementation using tcp port 7 (echo)
+ */
+static jboolean
+tcp_ping6(JNIEnv *env,
+          jint timeout,
+          jint ttl,
+          struct sockaddr_in6 him6,
+          struct sockaddr_in6* netif,
+          int len)
+{
+    jint fd;
+    WSAEVENT hEvent;
+    int connect_rv = -1;
+
+    fd = NET_Socket(AF_INET6, SOCK_STREAM, 0);
+    if (fd == SOCKET_ERROR) {
+        /* note: if you run out of fds, you may not be able to load
+         * the exception class, and get a NoClassDefFoundError
+         * instead.
+         */
+        NET_ThrowNew(env, errno, "Can't create socket");
+        return JNI_FALSE;
+    }
+
+    /**
+     * A TTL was specified, let's set the socket option.
+     */
+    if (ttl > 0) {
+      setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, (const char *)&ttl, sizeof(ttl));
+    }
+
+    /**
+     * A network interface was specified, let's bind to it.
+     */
+    if (netif != NULL) {
+      if (NET_Bind(fd, (struct sockaddr*)netif, sizeof(struct sockaddr_in6)) < 0) {
+        NET_ThrowNew(env, WSAGetLastError(), "Can't bind socket to interface");
+        closesocket(fd);
+        return JNI_FALSE;
+      }
+    }
+
+    /**
+     * Make the socket non blocking.
+     */
+    hEvent = WSACreateEvent();
+    WSAEventSelect(fd, hEvent, FD_READ|FD_CONNECT|FD_CLOSE);
+
+    /* no need to use NET_Connect as non-blocking */
+    him6.sin6_port = htons((short) 7); /* Echo port */
+    connect_rv = connect(fd, (struct sockaddr *)&him6, len);
+
+    /**
+     * connection established or refused immediately, either way it means
+     * we were able to reach the host!
+     */
+    if (connect_rv == 0 || WSAGetLastError() == WSAECONNREFUSED) {
+        WSACloseEvent(hEvent);
+        closesocket(fd);
+        return JNI_TRUE;
+    } else {
+        int optlen;
+
+        switch (WSAGetLastError()) {
+        case WSAEHOSTUNREACH:   /* Host Unreachable */
+        case WSAENETUNREACH:    /* Network Unreachable */
+        case WSAENETDOWN:       /* Network is down */
+        case WSAEPFNOSUPPORT:   /* Protocol Family unsupported */
+          WSACloseEvent(hEvent);
+          closesocket(fd);
+          return JNI_FALSE;
+        }
+
+        if (WSAGetLastError() != WSAEWOULDBLOCK) {
+            NET_ThrowByNameWithLastError(env, JNU_JAVANETPKG "ConnectException",
+                                         "connect failed");
+            WSACloseEvent(hEvent);
+            closesocket(fd);
+            return JNI_FALSE;
+        }
+
+        timeout = NET_Wait(env, fd, NET_WAIT_CONNECT, timeout);
+
+        if (timeout >= 0) {
+          /* has connection been established? */
+          optlen = sizeof(connect_rv);
+          if (getsockopt(fd, SOL_SOCKET, SO_ERROR, (void*)&connect_rv,
+                         &optlen) <0) {
+            connect_rv = WSAGetLastError();
+          }
+
+          if (connect_rv == 0 || connect_rv == WSAECONNREFUSED) {
+            WSACloseEvent(hEvent);
+            closesocket(fd);
+            return JNI_TRUE;
+          }
+        }
+    }
+    WSACloseEvent(hEvent);
+    closesocket(fd);
+    return JNI_FALSE;
+}
 
 /**
  * ping implementation.
@@ -337,9 +440,9 @@
 ping6(JNIEnv *env,
       struct sockaddr_in6* src,
       struct sockaddr_in6* dest,
-      jint timeout)
+      jint timeout,
+      HANDLE hIcmpFile)
 {
-    HANDLE hIcmpFile;
     DWORD dwRetVal = 0;
     char SendData[32] = {0};
     LPVOID ReplyBuffer = NULL;
@@ -347,12 +450,6 @@
     IP_OPTION_INFORMATION ipInfo = {255, 0, 0, 0, NULL};
     struct sockaddr_in6 sa6Source;
 
-    hIcmpFile = Icmp6CreateFile();
-    if (hIcmpFile == INVALID_HANDLE_VALUE) {
-        NET_ThrowNew(env, WSAGetLastError(), "Unable to open handle");
-        return JNI_FALSE;
-    }
-
     ReplySize = sizeof(ICMPV6_ECHO_REPLY) + sizeof(SendData);
     ReplyBuffer = (VOID*) malloc(ReplySize);
     if (ReplyBuffer == NULL) {
@@ -411,7 +508,7 @@
     struct sockaddr_in6* netif = NULL;
     struct sockaddr_in6 inf6;
     int len = 0;
-    int connect_rv = -1;
+    HANDLE hIcmpFile;
 
     /*
      * If IPv6 is not enable, then we can't reach an IPv6 address, can we?
@@ -456,7 +553,19 @@
       netif = &inf6;
     }
 
-    return ping6(env, netif, &him6, timeout);
+    hIcmpFile = Icmp6CreateFile();
+    if (hIcmpFile == INVALID_HANDLE_VALUE) {
+        int err = WSAGetLastError();
+        if (err == ERROR_ACCESS_DENIED) {
+            // fall back to TCP echo if access is denied to ICMP
+            return tcp_ping6(env, timeout, ttl, him6, netif, len);
+        } else {
+            NET_ThrowNew(env, err, "Unable to create ICMP file handle");
+            return JNI_FALSE;
+        }
+    } else {
+        return ping6(env, netif, &him6, timeout, hIcmpFile);
+    }
 
 #endif /* AF_INET6 */
     return JNI_FALSE;