r17916@catbus: nickm | 2008-02-05 16:29:35 -0500

Fix some XXX020 items in control.c: add a maximum line length and note that the number of versioning authorities is no longer apparent to clients.


svn:r13390

ChangeLog

@@ -1,8 +1,17 @@
 Changes in version 0.2.0.19-alpha - 2008-02-??
-  o Minor features:
+  o Minor features (directory authority):
     - Actually validate the options passed to AuthDirReject, AuthDirInvalid,
       AuthDirBadDir, and AuthDirBadExit.
 
+  o Minor features (controller):
+    - Reject controller commands over 1MB in length.  This keeps rogue
+      processes from running us out of memory.
+
+  o Deprecated features (controller):
+    - The status/version/num-versioning and status/version/num-concurring
+      GETINFO options are no longer useful in the V3 directory protocol:
+      treat them as deprecated, and warn when they're used.
+
   o Major bugfixes:
     - If we're a relay, avoid picking ourselves as an introduction point,
       a rendezvous point, or as the final hop for internal circuits. Bug

doc/spec/control-spec.txt

@@ -557,9 +557,6 @@ $Id$
     "status/version/recommended" -- List of currently recommended versions
     "status/version/current" -- Status of the current version. One of:
         new, old, unrecommended, recommended, new in series, obsolete.
-    "status/version/num-versioning" -- Number of versioning authorities
-    "status/version/num-concurring" -- Number of versioning authorities
-        agreeing on the status of the current version
 
   Examples:
      C: GETINFO version desc/name/moria1

src/or/control.c

@@ -1640,8 +1640,7 @@ getinfo_helper_events(control_connection_t *control_conn,
     smartlist_free(status);
   } else if (!strcmpstart(question, "addr-mappings/") ||
              !strcmpstart(question, "address-mappings/")) {
-    /* XXXX020 Warn about deprecated addr-mappings variant?  Or wait for
+    /* XXXX021 Warn about deprecated addr-mappings variant. */
-     * 0.2.1.x? */
     time_t min_e, max_e;
     smartlist_t *mappings;
     int want_expiry = !strcmpstart(question, "address-mappings/");
@@ -1712,10 +1711,11 @@ getinfo_helper_events(control_connection_t *control_conn,
           }
       } else if (!strcmp(question, "status/version/num-versioning") ||
                  !strcmp(question, "status/version/num-concurring")) {
-        /*XXXX020 deprecate.*/
         char s[33];
         tor_snprintf(s, sizeof(s), "%d", get_n_authorities(V3_AUTHORITY));
         *answer = tor_strdup(s);
+        log_warn(LD_GENERAL, "%s is deprecated; it no longer gives useful "
+                 "information");
       }
     } else {
       return 0;
@@ -2627,6 +2627,11 @@ is_valid_initial_command(control_connection_t *conn, const char *cmd)
   return 0;
 }
 
+/** Do not accept any control command of more than 1MB in length.  Anything
+ * that needs to be anywhere near this long probably means that one of our
+ * interfaces is broken. */
+#define MAX_COMMAND_LINE_LENGTH (1024*1024)
+
 /** Called when data has arrived on a v1 control connection: Try to fetch
  * commands from conn->inbuf, and execute them.
  */
@@ -2679,7 +2684,12 @@ connection_control_process_inbuf(control_connection_t *conn)
         /* Line not all here yet. Wait. */
         return 0;
       else if (r == -1) {
-        /*XXXX020 impose some maximum on length! */
+        if (data_len + conn->incoming_cmd_cur_len > MAX_COMMAND_LINE_LENGTH) {
+          connection_write_str_to_buf("500 Line too long.\r\n", TO_CONN(conn));
+          connection_stop_reading(TO_CONN(conn));
+          connection_mark_for_close(TO_CONN(conn));
+          conn->_base.hold_open_until_flushed = 1;
+        }
         while (conn->incoming_cmd_len < data_len+conn->incoming_cmd_cur_len)
           conn->incoming_cmd_len *= 2;
         conn->incoming_cmd = tor_realloc(conn->incoming_cmd,