Merge remote-tracking branch 'origin/maint-0.2.2'

2024-11-10 13:13:44 +01:00 · 2011-07-01 12:56:40 -04:00 · 2011-07-01 12:56:40 -04:00 · 734e860d98
commit 734e860d98
parent 0b536469ee 06f0c1aa6a
7 changed files with 37 additions and 4 deletions
--- a/changes/cid_428
+++ b/changes/cid_428
@ -0,0 +1,5 @@
+  o Minor bugfixes:
+    - Always NUL-terminate the sun_path field of a sockaddr_un before
+      passing it to the kernel. (Not a security issue: kernels are
+      smart enough to reject bad sockaddr_uns.) Found by Coverity; CID
+      # 428. Bugfix on Tor 0.2.0.3-alpha.
--- a/changes/cid_450
+++ b/changes/cid_450
@ -0,0 +1,5 @@
+  o Minor bugfixes:
+    - Don't stack-allocate the list of supplementary GIDs when we're
+      about to log them. Stack-allocating NGROUPS_MAX gid_t elements
+      could take up to 256K, which is way too much stack.  Found by
+      Coverity; CID #450. Bugfix on 0.2.1.7-alpha.
--- a/changes/memleak_rendcache
+++ b/changes/memleak_rendcache
@ -0,0 +1,4 @@
+  o Minor bugfixes:
+    - Fix a memory leak when receiving a descriptor for a hidden
+      service we didn't ask for. Found by Coverity; CID#30. Bugfix on
+      0.2.2.26-beta.
--- a/src/common/compat.c
+++ b/src/common/compat.c
@ -1280,7 +1280,8 @@ log_credential_status(void)
  /* Read, effective and saved GIDs */
  gid_t rgid, egid, sgid;
  /* Supplementary groups */
-  gid_t sup_gids[NGROUPS_MAX + 1];
+  gid_t *sup_gids = NULL;
+  int sup_gids_size;
  /* Number of supplementary groups */
  int ngids;

@ -1326,9 +1327,19 @@ log_credential_status(void)
 #endif

  /* log supplementary groups */
-  if ((ngids = getgroups(NGROUPS_MAX + 1, sup_gids)) < 0) {
+  sup_gids_size = 64;
+  sup_gids = tor_malloc(sizeof(gid_t) * 64);
+  while ((ngids = getgroups(sup_gids_size, sup_gids)) < 0 &&
+         errno == EINVAL &&
+         sup_gids_size < NGROUPS_MAX) {
+    sup_gids_size *= 2;
+    sup_gids = tor_realloc(sup_gids, sizeof(gid_t) * sup_gids_size);
+  }
+
+  if (ngids < 0) {
    log_warn(LD_GENERAL, "Error getting supplementary GIDs: %s",
             strerror(errno));
+    tor_free(sup_gids);
    return -1;
  } else {
    int i, retval = 0;
@ -1358,6 +1369,7 @@ log_credential_status(void)
      tor_free(cp);
    });
    smartlist_free(elts);
+    tor_free(sup_gids);

    return retval;
  }
--- a/src/or/connection.c
+++ b/src/or/connection.c
@ -854,7 +854,13 @@ create_unix_sockaddr(const char *listenaddress, char **readable_address,

  sockaddr = tor_malloc_zero(sizeof(struct sockaddr_un));
  sockaddr->sun_family = AF_UNIX;
-  strncpy(sockaddr->sun_path, listenaddress, sizeof(sockaddr->sun_path));
+  if (strlcpy(sockaddr->sun_path, listenaddress, sizeof(sockaddr->sun_path))
+      >= sizeof(sockaddr->sun_path)) {
+    log_warn(LD_CONFIG, "Unix socket path '%s' is too long to fit.",
+             escaped(listenaddress));
+    tor_free(sockaddr);
+    return NULL;
+  }

  if (readable_address)
    *readable_address = tor_strdup(listenaddress);
--- a/src/or/dirserv.c
+++ b/src/or/dirserv.c
@ -2440,7 +2440,7 @@ measured_bw_line_parse(measured_bw_line_t *out, const char *orig_line)
        tor_free(line);
        return -1;
      }
-      strncpy(out->node_hex, cp, sizeof(out->node_hex));
+      strlcpy(out->node_hex, cp, sizeof(out->node_hex));
      got_node_id=1;
    }
  } while ((cp = tor_strtok_r(NULL, " \t", &strtok_state)));
--- a/src/or/rendcommon.c
+++ b/src/or/rendcommon.c
@ -1040,6 +1040,7 @@ rend_cache_store(const char *desc, size_t desc_len, int published,
    log_warn(LD_REND, "Received service descriptor for service ID %s; "
             "expected descriptor for service ID %s.",
             query, safe_str(service_id));
+    rend_service_descriptor_free(parsed);
    return -2;
  }
  now = time(NULL);