* Use strcmpstart() instead of strcmp(x,y,strlen(y)).
* Warn the user if the managed proxy failed to launch.
* Improve function documentation.
* Use smartlist_len() instead of n_unconfigured_proxies.
* Split managed_proxy_destroy() to managed_proxy_destroy()
and managed_proxy_destroy_with_transports().
* Constification.
We'll still need to tweak it so that it looks for includes and
libraries somewhere more sensible than "where we happened to find
them on Erinn's system"; so that tests and tools get built too;
so that it's a bit documented; and so that we actually try running
the output.
Work done with Erinn Clark.
- pid, stdout/stderr_pipe now encapsulated in process_handle
- read_all replaced by tor_read_all_from_process_stdin/stderr
- waitpid replaced by tor_get_exit_code
Untested on *nix
This is the meat of proposal 171: we change circuit_is_acceptable()
to require that the connection is compatible with every connection
that has been linked to the circuit; we update circuit_is_better to
prefer attaching streams to circuits in the way that decreases the
circuits' usefulness the least; and we update link_apconn_to_circ()
to do the appropriate bookkeeping.
* Create a function that will get input from a stream, so that we can
communicate with the managed proxy.
* Hackish change to tor_spawn_background() so that we can specify an
environ for our spawn.
Original message from bug3393:
check_private_dir() to ensure that ControlSocketsGroupWritable is
safe to use. Unfortunately, check_private_dir() only checks against
the currently running user… which can be root until privileges are
dropped to the user and group configured by the User config option.
The attached patch fixes the issue by adding a new effective_user
argument to check_private_dir() and updating the callers. It might
not be the best way to fix the issue, but it did in my tests.
(Code by lunar; changelog by nickm)
On win64, sockets are of type UINT_PTR; on win32 they're u_int;
elsewhere they're int. The correct windows way to check a socket for
being set is to compare it with INVALID_SOCKET; elsewhere you see if
it is negative.
On Libevent 2, all callbacks take sockets as evutil_socket_t; we've
been passing them int.
This patch should fix compilation and correctness when built for
64-bit windows. Fixes bug 3270.
We'll need this for checking permissions on the directories that hold
control sockets: if somebody says "ControlSocket ~/foo", it would be
pretty rude to do a chmod 700 on their homedir.
Conflicts in various places, mainly node-related. Resolved them in
favor of HEAD, with copying of tor_mem* operations from bug3122_memcmp_022.
src/common/Makefile.am
src/or/circuitlist.c
src/or/connection_edge.c
src/or/directory.c
src/or/microdesc.c
src/or/networkstatus.c
src/or/router.c
src/or/routerlist.c
src/test/test_util.c
Conflicts throughout. All resolved in favor of taking HEAD and
adding tor_mem* or fast_mem* ops as appropriate.
src/common/Makefile.am
src/or/circuitbuild.c
src/or/directory.c
src/or/dirserv.c
src/or/dirvote.c
src/or/networkstatus.c
src/or/rendclient.c
src/or/rendservice.c
src/or/router.c
src/or/routerlist.c
src/or/routerparse.c
src/or/test.c
Here I looked at the results of the automated conversion and cleaned
them up as follows:
If there was a tor_memcmp or tor_memeq that was in fact "safe"[*] I
changed it to a fast_memcmp or fast_memeq.
Otherwise if there was a tor_memcmp that could turn into a
tor_memneq or tor_memeq, I converted it.
This wants close attention.
[*] I'm erring on the side of caution here, and leaving some things
as tor_memcmp that could in my opinion use the data-dependent
fast_memcmp variant.
It's all too easy in C to convert an unsigned value to a signed one,
which will (on all modern computers) give you a huge signed value. If
you have a size_t value of size greater than SSIZE_T_MAX, that is way
likelier to be an underflow than it is to be an actual request for
more than 2gb of memory in one go. (There's nothing in Tor that
should be trying to allocate >2gb chunks.)
- Responsibility of clearing hex_errno is no longer with caller
- More conservative bounds checking
- Length requirement of hex_errno documented
- Output format documented
Some of these functions only work for routerinfo-based nodes, and as
such are only usable for advisory purposes. Fortunately, our uses
of them are compatible with this limitation.
This function uses GetSystemDirectory() to make sure we load the version
of the library from c:\windows\system32 (or local equivalent) rather than
whatever version lives in the cwd.
This should keep WinCE working (unicode always-on) and get Win98
working again (unicode never-on).
There are two places where we explicitly use ASCII-only APIs, still:
in ntmain.c and in the unit tests.
This patch also fixes a bug in windoes tor_listdir that would cause
the first file to be listed an arbitrary number of times that was
also introduced with WinCE support.
Should fix bug 1797.
This should make us conflict less with system files named "log.h".
Yes, we shouldn't have been conflicting with those anyway, but some
people's compilers act very oddly.
The actual change was done with one "git mv", by editing
Makefile.am, and running
find . -name '*.[ch]' | xargs perl -i -pe 'if (/^#include.*\Wlog.h/) {s/log.h/torlog.h/; }'
Having ~/.tor expand into /.tor is, after all, almost certainly not
what the user wanted, and it deserves a warning message.
Also, convert a guess-and-malloc-and-sprintf triple into an asprintf.
Most of the changes here are switches to use APIs available on Windows
CE. The most pervasive change is that Windows CE only provides the
wide-character ("FooW") variants of most of the windows function, and
doesn't support the older ASCII verions at all.
This patch will require use of the wcecompat library to get working
versions of the posix-style fd-based file IO functions.
[commit message by nickm]
On Windows, we don't have a notion of ~ meaning "our homedir", so we
were deliberately using an #ifdef to avoid calling expand_filename()
in multiple places. This is silly: The right place to turn a function
into a no-op on a single platform is in the function itself, not in
every single call-site.
We do this in too many places throughout the code; it's time to start
clamping down.
Also, refactor Karsten's patch to use strchr-then-strndup, rather than
malloc-then-strlcpy-then-strchr-then-clear.
When we added support for fractional units (like 1.5 MB) I broke
support for giving units with no space (like 2MB). This patch should
fix that. It also adds a propoer tor_parse_double().
Fix for bug 1076. Bugfix on 0.2.2.1-alpha.
When determining how long directory requests take or how long cells spend
in queues, we were comparing timestamps on microsecond detail only to
convert results to second or millisecond detail later on. But on 32-bit
architectures this means that 2^31 microseconds only cover time
differences of up to 36 minutes. Instead, compare timestamps on
millisecond detail.
This patch adds a function to determine whether we're in the main
thread, and changes control_event_logmsg() to return immediately if
we're in a subthread. This is necessary because otherwise we will
call connection_write_to_buf, which modifies non-locked data
structures.
Bugfix on 0.2.0.x; fix for at least one of the things currently
called "bug 977".
tor_sscanf() only handles %u and %s for now, which will make it
adequate to replace sscanf() for date/time/IP parsing. We want this
to prevent attackers from constructing weirdly formed descriptors,
cells, addresses, HTTP responses, etc, that validate under some
locales but not others.
svn:r18760
The subversion $Id$ fields made every commit force a rebuild of
whatever file got committed. They were not actually useful for
telling the version of Tor files in the wild.
svn:r17867
dmalloc_malloc, dmalloc_realloc and dmalloc_strdup. It only calls those
functions if we're using the magic USE_DMALLOC macro. If we're not doing
that, we call the normal malloc, realloc and strdup. This is my first
night at malloc disambiguation club, so I had to disambiguate. Also, first commit, I have my commit bit now. Huzzzah!!!
svn:r17157
Make generic address manipulation functions work better. Switch address policy code to use tor_addr_t, so it can handle IPv6. That is a good place to start.
svn:r16178
Fix for bug 742: do not use O_CREAT on 2-option version of open(). Especially do not use it on /dev/null. Fix from Michael Scherer. Bugfix on 0.0.2pre19 (wow).
svn:r15626
Fix all remaining shorten-64-to-32 errors in src/common. Some were genuine problems. Many were compatibility errors with libraries (openssl, zlib) that like predate size_t. Partial backport candidate.
svn:r13665
Fix some warnings identified by building with -D_FORTIFY_SOURCE=2. Remove a redundant (and nuts) definition of _FORTIFY_SOURCE from eventdns.c.
svn:r13424
Write a new autoconf macro to test whether a function is declared. It is suboptimal and possibly buggy in some way, but it seems to work for me. use it to test for a declaration of malloc_good_size, so we can workaround operating systems (like older OSX) that have the function in their libc but do not deign to declare it in their headers. Should resolve bug 587.
svn:r13339
Another test for the increasingly bad check-spaces style checker to check: #else\n#if is almost a sure sign of a failure to use #elif. Fortunately, we only did that 3 times.
svn:r13039
Push the strdups used for parsing configuration lines into parse_line_from_string(). This will make it easier to parse more complex value formats, which in turn will help fix bug 557
svn:r13020
Use reference-counting to avoid allocating a zillion little addr_policy_t objects. (This is an old patch that had been sitting on my hard drive for a while.)
svn:r13017
New, slightly esoteric function, tor_malloc_roundup(). While tor_malloc(x) allocates x bytes, tor_malloc_roundup(&x) allocates the same size of chunk it would use to store x bytes, and sets x to the usable size of that chunk.
svn:r12981
Change tor_addr_t to be a tagged union of in_addr and in6_addr, not of sockaddr_in and sockaddr_in6. It's hardly used in the main code as it is, but let's get it right before it gets popular.
svn:r12660
Improved skew reporting: "You are 365 days in the duture" is more useful than "You are 525600 minutes in the future". Also, when we get something that proves we are at least an hour in the past, tell the controller "CLOCK_SKEW MIN_SKEW=-3600" rather than just "CLOCK_SKEW"
svn:r12283
Add a bunch of function documentation; clean up a little code; fix some XXXXs; tag the nonsensical EXTRAINFO_PURPOSE_GENERAL as nonsesnse; note another bit of "do not cache special routers" code to nuke.
svn:r11761
Refactor write_chunks_to_file_impl: break out the "pick a temporary name if it makes sense, and open the right filename" logic and the "close the file and unlink or rename if necessary" logic. This will let us write big files in a smarter way than "Build a big string" or "make a list of chunks", once we get around to using it.
svn:r11300
Add a new ClientDNSRejectInternalAddresses option (default: on) to refuse to believe that any address can map to or from an internal address. This blocks some kinds of potential browser-based attacks, especially on hosts using DNSPort. Also clarify behavior in some comments. Backport candiate?
svn:r11287
Glibc (and maybe others) define a mallinfo() that can be used to see how the platform malloc is acting inside. When we have it, dump its output on dumpmemusage().
svn:r10996
Another patch from croup: drop support for address masks that do not correspond to bit prefixes. Nobody has used this for a while, and we have given warnings for a long time.
svn:r10881
Patch from croup: rewrite the logic of get_next_token() to do the right thing with input that ends at weird places, or aligns with block boundaries after mmap. should fix bug 455. Needs fuzzing.
svn:r10847
Fix the fix for bug 445: set umask properly. Also use open+fdopen rather than just umask+fopen, and create authority identity key with mode 400.
svn:r10485
First bare stubs of ipv6 work: commit some (untested, hence doublessly broken) implementations of inet_ntop/pton for systems that lack them.
svn:r10326
Add math functions to round values to the nearest power of 2. Make mempools more careful about making sure that the size of their chunks is a little less than a power of 2, not a little more.
svn:r10304
More v3 directory code: have authorities load certificates; have everybody store certificates to disk and load them; provide a way to configure v3 authorities.
svn:r10293
Partial backport candidate: do not rely on finding a \0 after an mmaped() router/extrainfo file. Also, set journal length correctly when starting up.
svn:r10248
Track the number of connection_t separately from the number of open sockets. It is already possible to have connections that do not count: resolving conns, for one. Once we move from socketpairs to linked conns, and once we do dns proxying, there will be lots of such connections.
svn:r9994
Make all LD_BUG log messsages get prefixed with "Bug: ". Remove manually-generated "Bug: "s from log-messages. (Apparently, we remembered to add them about 40% of the time.)
svn:r9733
Handle errors on opening cached-routers* more uniformly and sanely: log not-found errors at level INFO, and all other errors at level WARN. Needs testing on win32.
svn:r9569
Add documentation to src/common/*.h; improve documentation for SMARTLIST_FOREACH; remove never-used options and corresponding tests from tor_strpartition.
svn:r9483
Removing the last DOCDOC comment hurt so much that I had to use Doxygen to identify undocumented macros and comments, and add 150 more DOCDOCs to point out where they were. Oops. Hey, kids! Fixing some of these could be your first Tor patch!
svn:r9477
Implement SOCKS_BAD_HOSTNAME status event. Defer remaining status events. Clean up control-spec.txt a little, and fill in recommendations for events.
svn:r9374
Yes, apparently saying strcpy in front of openbsd is like saying "intellectual property" in front of RMS. They both have a point, I guess, even though they extend it to contexts where it is completely irrelevant.
svn:r9370
Apparently, the OpenBSD linker thinks it knows C better than I do, and gets to call me names for having strcat and strcpy and sprintf in my code--whether I use them safely or not. All right, OpenBSD. You win... this round.
svn:r9360
Fix bug found by Keith Skinner: Treat malformed max-ports in address ranges as an error, and dont ignore errors with min-ports even if a max-port is present.
svn:r9168
Try to compile with fewer warnings on irix64's MIPSpro compiler /
environment, which apparently believes that:
- off_t can be bigger than size_t.
- only mean kids assign things they do not subsequently inspect.
I don't try to fix the "error" that makes it say:
cc-3970 cc: WARNING File = main.c, Line = 1277
conversion from pointer to same-sized integral type (potential portability
problem)
uintptr_t sig = (uintptr_t)arg;
Because really, what can you do about a compiler that claims to be c99
but doesn't understand that void* x = NULL; uintptr_t y = (uintptr_t) x;
is safe?
svn:r8948
Add unit tests for tor_mmap_file(); make tor_mmap_t.size always be the size of the file (not the size of the mapping); add an extra argument to read_file_to_str() so it can return the size of the result string.
svn:r8762
Remove/clarify some XXXs for no longer being accurate; for begin things we do not indend to fix; for already being parts of big todo issues (like "/* XXX ipv6 */"); etc. Also fix some spaces.
svn:r8580
Move is_local_IP to config.c; have it check for same-/24; make it used only for reachability (not for banwidth, because that is probably not what we want). Fixes an XXX.
svn:r8578
Improvement to last entry guards patch: track when we last attempted to connect to a node in our state file along with how long it has been unreachable. Also clarify behavior of parse_iso_time() when it gets extra characters.
svn:r8520
Fix bug 327 (part 2): Cast char to unsigned char before passing to toupper/tolower. (Follow the same idiom as with isupper and friends, in case we run into the same problem on SGI or whereever it was.)
svn:r8310
we were refusing names that had $ in them, which people who specify
$key.exit will be sad about. There are likely other examples.
If people can think of reasons why we should be picky, let me know.
svn:r6496
This is needed because Windows already has an err() that we
can't clobber. And we need to be able to make the log functions
a macro so we can print the function's name in the log entry.
svn:r6000