Replace unsafe.Slice with memory copying to avoid potential fault memory issue

[XinShuYang]

• Refactored ListIPForwardRows to deep copy IP forwarding table rows.
• Removed unsafe.Slice and replaced with manual pointer dereferencing and copying.

This change addresses a potential fault memory issue when iterating through the IP forwarding table,
caused by the use of slices after corresponding memory has been freed, leading to access failure.

[XinShuYang]

/test-windows-all

[XinShuYang]

/test-windows-containerd-e2e

[antoninbas]

Please break down the PR into multiple ones as it is doing essentially 3 unrelated changes. You can then backport specifically what's needed using the normal backporting process, instead of opening an independent / "duplicate" PR (#6665).

[antoninbas]

does this fix a specific issue?

[XinShuYang]

We received a report indicating that when host memory is less than 8GB, using unsafe.Slice can lead to memory faults. It’s possible that this function didn’t perform a deep copy, so after calling freeMibTable, we may encounter invalid memory addresses when access rows again. We have already verified that this deep copy method resolves this issue in the same environment.

[XinShuYang]

Please break down the PR into multiple ones as it is doing essentially 3 unrelated changes. You can then backport specifically what's needed using the normal backporting process, instead of opening an independent / "duplicate" PR (#6665).

@antoninbas Can I merge the agent crash fix and windows CI fix commits into one PR? Otherwise, the Windows CI pipeline will still fail due to rate limit issue.

[antoninbas]

Please break down the PR into multiple ones as it is doing essentially 3 unrelated changes. You can then backport specifically what's needed using the normal backporting process, instead of opening an independent / "duplicate" PR (#6665).

@antoninbas Can I merge the agent crash fix and windows CI fix commits into one PR? Otherwise, the Windows CI pipeline will still fail due to rate limit issue.

Yes, that's ok given that SNATFullyRandomPorts was introduced after the last minor release and the change doesn't need to be backported.

[antoninbas]

As far as I know the only issue with the previous code is that we were not making a copy of the slice prior to returning, while at the same time freeing the underlying memory by calling n.freeMibTable(unsafe.Pointer(table)).

The Wireguard Windows code has a simpler implementation of this, which still uses unsafe.Slice. It achieves correctness by making a proper copy of the slice: https://github.com/WireGuard/wireguard-windows/blob/e70799b1440690e7d4140bffc7c73baf903c7b54/tunnel/winipcfg/winipcfg.go#L151

That being said, if this new version has already been tested thoroughly, there is probably no string reason to change it.

[wenyingd]

@antoninbas , we used to think about the solution as what Wiregurad is taking, a concern is some fields in MibIPForwardRow are using type []byte, which still exists the risk with a shadow copy if the memory resource is limited (e.g., Windows OS re-allocate the memory to other objects after the MibIPForwardTable is free). So we finally choose the solution to deep copy the objects before free the memory. The latest code is verified on the problematic cluster.

[antoninbas]

Do you mean [N]byte types like the [26]byte field in RawSockAddrInet ([]byte would not be possible here AFAIK)? These should be no different than integer types, they should be inlined in the struct with no indirection.

The code before this change was wrong for obvious reasons. I don't think the Wireguard code is wrong. But if you feel like manual copy is the best approach and this has been well-tested, as I wrote before we can merge it as is.

[tnqn]

The fields in MibIPForwardRow is array not slice. It will be deepcopied automatically.
And the current code is inconsistent: it makes a manual deepcopy for RawSockAddrInet but not AddressPrefix which also has a RawSockAddrInet.

[tnqn]

An example: https://play.golang.com/p/z6Gc0YhEQSV

[wenyingd]

LGTM

[XinShuYang]

/test-windows-all

[luolanzone]

Hi @antoninbas @tnqn could you help to double check if we can more forward? this issue is a blocker for downstream customers. Thanks.

[XinShuYang]

/test-windows-containerd-e2e

[antoninbas]

Do you mean [N]byte types like the [26]byte field in RawSockAddrInet ([]byte would not be possible here AFAIK)? These should be no different than integer types, they should be inlined in the struct with no indirection.

The code before this change was wrong for obvious reasons. I don't think the Wireguard code is wrong. But if you feel like manual copy is the best approach and this has been well-tested, as I wrote before we can merge it as is.

[antoninbas]

return *a would make a copy given that data is an array, not a slice
am I missing something @tnqn ?

[tnqn]

You are right. The whole function is what struct copy does exactly.

[XinShuYang]

Thanks for all comments @antoninbas @tnqn , I have updated the code based on the current Windows network management API implementation(https://github.com/tailscale/winipcfg-go/blob/84d0a1a3b210638dfe24d6169581a7af315c13f0/wt_mib_ipforward_row2.go#L51C1-L78C2).

[tnqn]

LGTM

[tnqn]

Please let me know once the verification is done

[XinShuYang]

/test-windows-all

[tnqn]

Thanks for all comments @antoninbas @tnqn , I have updated the code based on the current Windows network management API implementation(https://github.com/tailscale/winipcfg-go/blob/84d0a1a3b210638dfe24d6169581a7af315c13f0/wt_mib_ipforward_row2.go#L51C1-L78C2).

Both are correct, The code in wireguard windows is more concise.

[XinShuYang]

Please let me know once the verification is done

@tnqn Windows CI passed.

[tnqn]

/skip-all

[tnqn]

/skip-all