Commit Graph

33565 Commits

Author SHA1 Message Date
Nick Mathewson
cdafcc49bc Fix a memory leak in tor-resolve.c
Closes bug 30151/coverity CID 1441830. Bugfix on 0.4.0.1-alpha when
we started doing trunnel parsing in tor-resolve.c.
2019-04-11 19:10:05 -04:00
Nick Mathewson
7332346002 Changes file and practracker updates for 30149. 2019-04-11 18:58:44 -04:00
Nick Mathewson
48a574604b Remove an extraneous _ from __COVERITY__
We had a typo in this check, so that coverity wasn't taking the
right path.

Bug not in any released Tor.
2019-04-11 18:56:02 -04:00
Nick Mathewson
66b07e7ec1 Add an assertion to num_ntors_per_tap().
This should please coverity, and fix CID 1415721.  It didn't
understand that networkstatus_get_param() always returns a value
between its minimum and maximum values.
2019-04-11 18:44:10 -04:00
Nick Mathewson
96e310911f Add an assertion to compute_weighted_bandwidths()
This should please coverity, and fix CID 1415722.  It didn't
understand that networkstatus_get_param() always returns a value
between its minimum and maximum values.
2019-04-11 18:41:38 -04:00
Nick Mathewson
55690d05bd Add an assertion to pathbias_get_scale_ratio()
This should please coverity, and fix CID 1415723.  It didn't understand
that networkstatus_get_param() always returns a value between its
minimum and maximum values.
2019-04-11 18:38:59 -04:00
Nick Mathewson
85ff6f9114 Fix a memory leak on failure to create keys directory.
Fixes bug 30148, which is also CID 1437429 and CID 1437454. Bugfix
on 0.3.3.1-alpha, when separate key directories became a thing.
2019-04-11 18:18:14 -04:00
Nick Mathewson
e39b53ef7d changes file and practracker updates for 30147. 2019-04-11 17:59:21 -04:00
Nick Mathewson
781d69f3a7 Make it clear to coverity we aren't leaking in protover_all_supported()
The logic here should be "use versions or free it".  The "free it"
part was previously in a kind of obfuscated place, so coverity
wasn't sure it was invoked as appropriate.  CID 1437436.
2019-04-11 17:51:11 -04:00
Nick Mathewson
4e3d144fb0 Don't leak on logic error in string_is_valid_nonrfc_hostname()
This is CID 1437438.  No backport needed: this is unreachable, and
guarded with a BUG() check.
2019-04-11 17:40:05 -04:00
Nick Mathewson
7c98105d56 On failure to create extend info for an introduction point, don't leak.
This is CID 1438152.  No backport needed: this path is already
inside a BUG() guard.
2019-04-11 17:35:19 -04:00
Nick Mathewson
adeecce53b forward-port the 0.4.0.4-rc changelog 2019-04-11 17:06:19 -04:00
Nick Mathewson
7dd247c5fd Merge branch 'maint-0.4.0' 2019-04-11 17:05:45 -04:00
Nick Mathewson
40471d73e5 bump to 0.4.0.4-rc-dev 2019-04-11 17:05:38 -04:00
Neel Chauhan
011307dd5f Make repeated/rate limited HSFETCH queries fail with QUERY_RATE_LIMITED 2019-04-11 15:21:17 -04:00
Nick Mathewson
9fabf104ed Merge remote-tracking branch 'tor-github/pr/913' 2019-04-11 14:30:05 -04:00
Nick Mathewson
d549440124 Merge remote-tracking branch 'tor-github/pr/887' 2019-04-11 14:29:16 -04:00
Nick Mathewson
f8dc935fb7 Merge remote-tracking branch 'tor-github/pr/741' 2019-04-11 14:27:06 -04:00
teor
6ef3819798
Travis: use stem backtrace signals with timelimit
Part of 30117.
2019-04-11 11:59:30 +10:00
Nick Mathewson
3c64cfe649 Merge branch 'maint-0.4.0' 2019-04-10 11:52:12 -04:00
Nick Mathewson
b2fc57426c Bump version to 0.4.0.4-rc 2019-04-10 11:51:49 -04:00
Nick Mathewson
98e08b452f Fix pre-commit hook to correctly allow empty changes files.
Fixes bug 30120; bugfix not in any released Tor.
2019-04-10 11:49:23 -04:00
Nick Mathewson
3be1e26b8d Merge branch 'maint-0.4.0' 2019-04-10 11:31:44 -04:00
Nick Mathewson
412bcc5b2a Merge remote-tracking branch 'tor-github/pr/926' into maint-0.4.0 2019-04-10 11:31:33 -04:00
George Kadianakis
2cdc6b2005 Add changes file for #30040. 2019-04-10 12:46:27 +03:00
Tobias Stoeckmann
9ce0bdd226 Prevent double free on huge files with 32 bit.
The function compat_getdelim_ is used for tor_getline if tor is compiled
on a system that lacks getline and getdelim. These systems should be
very rare, considering that getdelim is POSIX.

If this system is further a 32 bit architecture, it is possible to
trigger a double free with huge files.

If bufsiz has been already increased to 2 GB, the next chunk would
be 4 GB in size, which wraps around to 0 due to 32 bit limitations.

A realloc(*buf, 0) could be imagined as "free(*buf); return malloc(0);"
which therefore could return NULL. The code in question considers
that an error, but will keep the value of *buf pointing to already
freed memory.

The caller of tor_getline() would free the pointer again, therefore
leading to a double free.

This code can only be triggered in dirserv_read_measured_bandwidths
with a huge measured bandwith list file on a system that actually
allows to reach 2 GB of space through realloc.

It is not possible to trigger this on Linux with glibc or other major
*BSD systems even on unit tests, because these systems cannot reach
so much memory due to memory fragmentation.

This patch is effectively based on the penetration test report of
cure53 for curl available at https://cure53.de/pentest-report_curl.pdf
and explained under section "CRL-01-007 Double-free in aprintf() via
unsafe size_t multiplication (Medium)".
2019-04-10 12:46:27 +03:00
teor
5722c6d12d
scripts: In git-pull-all.sh, also fetch the latest tor-github pull requests
Implements ticket 30114.
2019-04-10 19:26:47 +10:00
teor
12b9bfc05f
test: Also avoid reading the system default torrc in integration tests
Part of 29702.
2019-04-10 19:03:43 +10:00
rl1987
acec0192c3
Add changes file 2019-04-10 18:45:36 +10:00
rl1987
93dcfc6593
Use empty torrc file when launching tor in test_rebind.py 2019-04-10 18:45:21 +10:00
teor
60c46c6cd0
practracker: accept 4 extra lines due to 30041 2019-04-10 18:29:11 +10:00
teor
a1d9f44971
Merge branch 'maint-0.4.0' 2019-04-10 18:27:11 +10:00
teor
454bdb22ee
Merge remote-tracking branch 'tor-github/pr/920' into maint-0.4.0 2019-04-10 18:26:49 +10:00
teor
8cfab3b7c3
doc: Improve the documentation for MapAddress .exit
Fixes bug 30109; bugfix on 0.1.0.1-rc.
2019-04-10 17:43:59 +10:00
teor
ce9b101574
bwauth: update measured bandwidth file comments
We forgot to update function header comments and code comments when we
made changes in 0.3.5.1-alpha and later.

Closes 30112.
2019-04-10 15:57:54 +10:00
Nick Mathewson
c28cdcc9bf Merge branch 'maint-0.4.0' 2019-04-09 13:51:44 -04:00
Nick Mathewson
ffdca3dd14 Merge branch 'bug29922_035' into maint-0.4.0 2019-04-09 13:49:58 -04:00
Nick Mathewson
9f3f99938e Actually I believe this should be an EINVAL. 2019-04-09 13:49:10 -04:00
Nick Mathewson
c24928dd8f Changes file for bug30041 2019-04-09 12:05:33 -04:00
Tobias Stoeckmann
a628e36024 Check return value of buf_move_to_buf for error.
If the concatenation of connection buffer and the buffer of linked
connection exceeds INT_MAX bytes, then buf_move_to_buf returns -1 as an
error value.

This value is currently casted to size_t (variable n_read) and will
erroneously lead to an increasement of variable "max_to_read".

This in turn can be used to call connection_buf_read_from_socket to
store more data inside the buffer than expected and clogging the
connection buffer.

If the linked connection buffer was able to overflow INT_MAX, the call
of buf_move_to_buf would have previously internally triggered an integer
overflow, corrupting the state of the connection buffer.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2019-04-09 12:05:22 -04:00
Tobias Stoeckmann
5a6ab3e7db Protect buffers against INT_MAX datalen overflows.
Many buffer functions have a hard limit of INT_MAX for datalen, but
this limitation is not enforced in all functions:

- buf_move_all may exceed that limit with too many chunks
- buf_move_to_buf exceeds that limit with invalid buf_flushlen argument
- buf_new_with_data may exceed that limit (unit tests only)

This patch adds some annotations in some buf_pos_t functions to
guarantee that no out of boundary access could occur even if another
function lacks safe guards against datalen overflows.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2019-04-09 12:05:14 -04:00
Nick Mathewson
c10011532e Changes file for bug30041 2019-04-09 12:03:22 -04:00
Tobias Stoeckmann
0fa95308fe Check return value of buf_move_to_buf for error.
If the concatenation of connection buffer and the buffer of linked
connection exceeds INT_MAX bytes, then buf_move_to_buf returns -1 as an
error value.

This value is currently casted to size_t (variable n_read) and will
erroneously lead to an increasement of variable "max_to_read".

This in turn can be used to call connection_buf_read_from_socket to
store more data inside the buffer than expected and clogging the
connection buffer.

If the linked connection buffer was able to overflow INT_MAX, the call
of buf_move_to_buf would have previously internally triggered an integer
overflow, corrupting the state of the connection buffer.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2019-04-09 12:00:14 -04:00
Tobias Stoeckmann
74b2bc43fb Protect buffers against INT_MAX datalen overflows.
Many buffer functions have a hard limit of INT_MAX for datalen, but
this limitation is not enforced in all functions:

- buf_move_all may exceed that limit with too many chunks
- buf_move_to_buf exceeds that limit with invalid buf_flushlen argument
- buf_new_with_data may exceed that limit (unit tests only)

This patch adds some annotations in some buf_pos_t functions to
guarantee that no out of boundary access could occur even if another
function lacks safe guards against datalen overflows.

  [This is a backport of the submitted patch to 0.2.9, where the
  buf_move_to_buf and buf_new_with_data functions did not exist.]
2019-04-09 11:59:20 -04:00
George Kadianakis
16041d7918 Merge branch 'maint-0.4.0' 2019-04-09 12:25:18 +03:00
George Kadianakis
c7cf49dc3c Merge branch 'tor-github/pr/915' into maint-0.4.0 2019-04-09 12:24:52 +03:00
teor
3d45079c27
Merge branch 'maint-0.4.0' 2019-04-09 11:36:59 +10:00
teor
e4692fad96
Merge remote-tracking branch 'tor-github/pr/866' 2019-04-09 11:36:38 +10:00
teor
2dab7a1078
Merge remote-tracking branch 'tor-github/pr/862' 2019-04-09 11:36:12 +10:00
teor
92e8bdf296
Merge remote-tracking branch 'tor-github/pr/892' into maint-0.4.0 2019-04-09 11:35:41 +10:00