From: Ben Darnell <ben@bendarnell.com>
Date: Sun, 28 Apr 2013 02:54:55 +0000 (-0400)
Subject: Catch additional errors to prevent warnings logged when connections
X-Git-Tag: v3.1.0~99
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0bb4d9b9703552427e20010698ae8041b77bb8de;p=thirdparty%2Ftornado.git

Catch additional errors to prevent warnings logged when connections
are closed immediately after opening.

Closes #750.
---

diff --git a/tornado/iostream.py b/tornado/iostream.py
index 16b0fac1a..b84d17734 100644
--- a/tornado/iostream.py
+++ b/tornado/iostream.py
@@ -764,7 +764,7 @@ class SSLIOStream(IOStream):
             elif err.args[0] == ssl.SSL_ERROR_SSL:
                 try:
                     peer = self.socket.getpeername()
-                except:
+                except Exception:
                     peer = '(not connected)'
                 gen_log.warning("SSL Error on %d %s: %s",
                                 self.socket.fileno(), peer, err)
@@ -773,6 +773,11 @@ class SSLIOStream(IOStream):
         except socket.error as err:
             if err.args[0] in (errno.ECONNABORTED, errno.ECONNRESET):
                 return self.close(exc_info=True)
+        except AttributeError:
+            # On Linux, if the connection was reset before the call to
+            # wrap_socket, do_handshake will fail with an
+            # AttributeError.
+            return self.close(exc_info=True)
         else:
             self._ssl_accepting = False
             if not self._verify_cert(self.socket.getpeercert()):
diff --git a/tornado/netutil.py b/tornado/netutil.py
index 7b7d48dd6..18a84ec58 100644
--- a/tornado/netutil.py
+++ b/tornado/netutil.py
@@ -135,8 +135,15 @@ def add_accept_handler(sock, callback, io_loop=None):
             try:
                 connection, address = sock.accept()
             except socket.error as e:
+                # EWOULDBLOCK and EAGAIN indicate we have accepted every
+                # connection that is available.
                 if e.args[0] in (errno.EWOULDBLOCK, errno.EAGAIN):
                     return
+                # ECONNABORTED indicates that there was a connection
+                # but it was closed while still in the accept queue.
+                # (observed on FreeBSD).
+                if e.args[0] == errno.ECONNABORTED:
+                    continue
                 raise
             callback(connection, address)
     io_loop.add_handler(sock.fileno(), accept_handler, IOLoop.READ)
diff --git a/tornado/tcpserver.py b/tornado/tcpserver.py
index fbd9c63d3..b92fff6b8 100644
--- a/tornado/tcpserver.py
+++ b/tornado/tcpserver.py
@@ -216,7 +216,17 @@ class TCPServer(object):
                 else:
                     raise
             except socket.error as err:
-                if err.args[0] == errno.ECONNABORTED:
+                # If the connection is closed immediately after it is created
+                # (as in a port scan), we can get one of several errors.
+                # wrap_socket makes an internal call to getpeername,
+                # which may return either EINVAL (Mac OS X) or ENOTCONN
+                # (Linux).  If it returns ENOTCONN, this error is
+                # silently swallowed by the ssl module, so we need to
+                # catch another error later on (AttributeError in
+                # SSLIOStream._do_ssl_handshake).
+                # To test this behavior, try nmap with the -sT flag.
+                # https://github.com/facebook/tornado/pull/750
+                if err.args[0] in (errno.ECONNABORTED, errno.EINVAL):
                     return connection.close()
                 else:
                     raise