Commit Graph

31899 Commits

Author SHA1 Message Date
Tobias Stoeckmann
5a6ab3e7db Protect buffers against INT_MAX datalen overflows.
Many buffer functions have a hard limit of INT_MAX for datalen, but
this limitation is not enforced in all functions:

- buf_move_all may exceed that limit with too many chunks
- buf_move_to_buf exceeds that limit with invalid buf_flushlen argument
- buf_new_with_data may exceed that limit (unit tests only)

This patch adds some annotations in some buf_pos_t functions to
guarantee that no out of boundary access could occur even if another
function lacks safe guards against datalen overflows.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2019-04-09 12:05:14 -04:00
Nick Mathewson
c10011532e Changes file for bug30041 2019-04-09 12:03:22 -04:00
Tobias Stoeckmann
0fa95308fe Check return value of buf_move_to_buf for error.
If the concatenation of connection buffer and the buffer of linked
connection exceeds INT_MAX bytes, then buf_move_to_buf returns -1 as an
error value.

This value is currently casted to size_t (variable n_read) and will
erroneously lead to an increasement of variable "max_to_read".

This in turn can be used to call connection_buf_read_from_socket to
store more data inside the buffer than expected and clogging the
connection buffer.

If the linked connection buffer was able to overflow INT_MAX, the call
of buf_move_to_buf would have previously internally triggered an integer
overflow, corrupting the state of the connection buffer.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2019-04-09 12:00:14 -04:00
Tobias Stoeckmann
74b2bc43fb Protect buffers against INT_MAX datalen overflows.
Many buffer functions have a hard limit of INT_MAX for datalen, but
this limitation is not enforced in all functions:

- buf_move_all may exceed that limit with too many chunks
- buf_move_to_buf exceeds that limit with invalid buf_flushlen argument
- buf_new_with_data may exceed that limit (unit tests only)

This patch adds some annotations in some buf_pos_t functions to
guarantee that no out of boundary access could occur even if another
function lacks safe guards against datalen overflows.

  [This is a backport of the submitted patch to 0.2.9, where the
  buf_move_to_buf and buf_new_with_data functions did not exist.]
2019-04-09 11:59:20 -04:00
George Kadianakis
c7cf49dc3c Merge branch 'tor-github/pr/915' into maint-0.4.0 2019-04-09 12:24:52 +03:00
teor
92e8bdf296
Merge remote-tracking branch 'tor-github/pr/892' into maint-0.4.0 2019-04-09 11:35:41 +10:00
rl1987
61e6b217c5
manpage: Clarify that Tor does stream isolation between *Port listeners by default
cherry-pick of tor-github/pr/841 to maint-0.4.0.
2019-04-09 11:34:51 +10:00
Nick Mathewson
a63bd87760 Detect and suppress an additional gmtime() warning in test_util.c
Fixes bug 29922; bugfix on 0.2.9.3-alpha when we tried to capture
all these warnings.  No need to backport any farther than 0.3.5,
though -- these warnings don't cause test failures before then.

This one was tricky to find because apparently it only happened on
_some_ windows builds.
2019-04-08 17:02:14 -04:00
teor
b100c9e980
Merge remote-tracking branch 'tor-github/pr/911' into maint-0.4.0 2019-04-06 12:15:41 +10:00
teor
4dd96f7444
changes: Ticket 29241 is actually a bug on NSS in 0.3.5.1-alpha 2019-04-06 11:07:20 +10:00
Nick Mathewson
5cb94cbf9d
NSS: disable TLS1.2 SHA-384 ciphersuites.
In current NSS versions, these ciphersuites don't work with
SSL_ExportKeyingMaterial(), which was causing relays to fail when
they tried to negotiate the v3 link protocol authentication.

Fixes bug 29241; bugfix on 0.4.0.1-alpha.
2019-04-06 11:06:34 +10:00
Nick Mathewson
680fd3f8fb
NSS: Log an error message when SSL_ExportKeyingMaterial() fails
Diagnostic for 29241.
2019-04-06 11:06:22 +10:00
teor
8b3b605a15
Merge branch 'maint-0.3.5' into maint-0.4.0 2019-04-06 09:33:28 +10:00
teor
3b9e3cca94
Merge branch 'maint-0.3.4' into maint-0.3.5 2019-04-06 09:33:20 +10:00
teor
48e990359b
Merge branch 'maint-0.2.9' into maint-0.3.4 2019-04-06 09:33:11 +10:00
teor
316aed502e
Merge remote-tracking branch 'tor-github/pr/898' into maint-0.3.5 2019-04-06 09:32:53 +10:00
teor
ea5e371822
Merge remote-tracking branch 'tor-github/pr/903' into maint-0.3.5 2019-04-06 09:31:52 +10:00
teor
44ea341117
Merge remote-tracking branch 'tor-github/pr/879' into maint-0.3.5 2019-04-06 09:30:52 +10:00
teor
102178e6d4
Merge remote-tracking branch 'tor-github/pr/878' into maint-0.3.4 2019-04-06 09:30:04 +10:00
teor
a0db5ade3e
Merge remote-tracking branch 'tor-github/pr/902' into maint-0.2.9 2019-04-06 09:28:58 +10:00
teor
e1955a2c54
Merge remote-tracking branch 'tor-github/pr/877' into maint-0.2.9 2019-04-06 09:28:13 +10:00
George Kadianakis
071a000d67 Merge branch 'tor-github/pr/906' into maint-0.4.0 2019-04-05 16:44:59 +03:00
George Kadianakis
2cc3c98bc4 Merge branch 'tor-github/pr/901' into maint-0.4.0 2019-04-05 14:56:52 +03:00
George Kadianakis
7fe169a500 Merge branch 'tor-github/pr/879' into maint-0.4.0 2019-04-05 14:55:09 +03:00
George Kadianakis
217db9efe1 Merge branch 'tor-github/pr/902' into maint-0.4.0 2019-04-05 14:53:33 +03:00
George Kadianakis
747b74c182 Merge branch 'tor-github/pr/800' into maint-0.4.0 2019-04-05 14:51:21 +03:00
teor
db71bceb40
Merge branch 'bug29036-29962-034' into bug29036-29962-035 2019-04-05 12:58:32 +10:00
teor
a514e02476
Merge branch 'bug29036-029' into bug29036-29962-034 2019-04-05 12:58:16 +10:00
teor
f0cd8f804f
Makefile: actually, don't delete the gcno files
We need to keep the gcno files, because they are created at compile time.
2019-04-05 12:56:29 +10:00
teor
da678213e0
circuitpadding: comment fixes 2019-04-05 12:17:21 +10:00
teor
387d9448de
test/circuitpadding: Delete circuitpadding_circuitsetup_machine()
This test was disabled in 0.4.0 and later, but the fix in #29298 was only
merged to 0.4.1. So this test will never be re-enabled in 0.4.0.

Part of 29500.
2019-04-05 12:17:10 +10:00
Mike Perry
b733044f7a
Bug #29500: Fix monotime mocking in circpad unittests.
Our monotime mocking forces us to call monotime_init() *before* we set the
mocked time value. monotime_init() thus stores the first ratchet value at
whatever the platform is at, and then we set fake mocked time to some later
value.

If monotime_init() gets a value from the host that is greater than what we
choose to mock time at for our unittests, all subsequent monotime_abosolute()
calls return zero, which breaks all unittests that depend on time moving
forward by updating mocked monotime values.

So, we need to adjust our mocked time to take the weird monotime_init() time
into account, when we set fake time.
2019-04-05 12:15:55 +10:00
Mike Perry
28db7646ba
Changes file for bug 29500. 2019-04-05 12:14:18 +10:00
Mike Perry
b027b06dbb
Bug 29500: Start monotime at 1000 nsec.
Hopefully this will stop monotime_absolute_usec() from returning 0 on some
platforms in the tests.
2019-04-05 12:14:11 +10:00
Mike Perry
1f48c6cd83
Bug 29500: Attempt to fix the tokens test.
Cancel the padding timer by changing order of sent vs recv (sent cancels).
2019-04-05 12:13:19 +10:00
Nick Mathewson
d016bbaa7d Merge branch 'bug29959_040_squashed' into maint-0.4.0 2019-04-04 20:26:47 -04:00
teor
8e961b2174 bwauth: Actually include the bandwidth-file-digest in authority votes
Fixes bug 29959; bugfix on 0.4.0.2-alpha.
2019-04-04 20:26:09 -04:00
Nick Mathewson
d194f6bedf Implement an DormantCanceledByStartup option
Closes ticket 29357, and comes with appropriate notions of caution.
2019-04-04 11:48:36 -04:00
Nick Mathewson
db1c1dba34 Merge branch 'bug30021_029' into bug30021_035 2019-04-04 11:26:33 -04:00
Nick Mathewson
1710f4bbd6 Do not cache bogus results from classifying client ciphers
When classifying a client's selection of TLS ciphers, if the client
ciphers are not yet available, do not cache the result. Previously,
we had cached the unavailability of the cipher list and never looked
again, which in turn led us to assume that the client only supported
the ancient V1 link protocol.  This, in turn, was causing Stem
integration tests to stall in some cases.  Fixes bug 30021; bugfix
on 0.2.4.8-alpha.
2019-04-04 11:24:55 -04:00
teor
ef06ef217a
Merge branch 'bug30011_035' into bug30011_040
Merge bug30011 new package timelimit with 0.4.0 new package shellcheck.
Move shellcheck into the correct category.
2019-04-04 13:23:26 +10:00
teor
3fa42d599a
Travis: Terminate test-stem if it takes more than 9.5 minutes to run
(Travis terminates the job after 10 minutes of no output.)

Diagnostic for 29437.

Fixes bug 30011; bugfix on 0.3.5.4-alpha.
2019-04-04 13:21:35 +10:00
Nick Mathewson
5613968d57 Improve logging for 28614.
When we fixed 28614, our answer was "if we failed to load the
consensus on windows and it had a CRLF, retry it."  But we logged
the failure at "warn", and we only logged the retry at "info".

Now we log the retry at "notice", with more useful information.

Fixes bug 30004.
2019-04-03 14:30:56 -04:00
Nick Mathewson
821d29e420 fdio.c: add more includes.
This is just in case there is some rogue platform that uses a
nonstandard value for SEEK_*, and does not define that macro in
unistd.h.  I think that's unlikely, but it's conceivable.
2019-04-03 13:53:36 -04:00
Nick Mathewson
99b87d7ca4 Even more diagnostic messages for bug 28223.
Try to figure out _where exactly_ we are first encountering NULs in
microdescriptors, and what we are doing when that happens.
2019-04-03 13:53:06 -04:00
George Kadianakis
42aae0e693 Merge branch 'tor-github/pr/867' into maint-0.4.0 2019-04-03 17:59:02 +03:00
George Kadianakis
828f1829c8 Merge branch 'tor-github/pr/811' into maint-0.4.0 2019-04-03 17:50:49 +03:00
Nick Mathewson
367dd9cf02 30001: Fix a race condition in test_dir_handle_get.c
Previously we used time(NULL) to set the Expires: header in our HTTP
responses.  This made the actual contents of that header untestable,
since the unit tests have no good way to override time(), or to see
what time() was at the exact moment of the call to time() in
dircache.c.

This gave us a race in dir_handle_get/status_vote_next_bandwidth,
where the time() call in dircache.c got one value, and the call in
the tests got another value.

I'm applying our regular solution here: using approx_time() so that
the value stays the same between the code and the test.  Since
approx_time() is updated on every event callback, we shouldn't be
losing any accuracy here.

Fixes bug 30001. Bug introduced in fb4a40c32c4a7e5; not in any
released Tor.
2019-04-03 10:16:18 -04:00
Nick Mathewson
de76862fd6 Merge branch 'maint-0.3.5' into maint-0.4.0 2019-04-03 09:27:44 -04:00
Nick Mathewson
4aa02d3c7a Merge branch 'maint-0.3.4' into maint-0.3.5 2019-04-03 09:27:43 -04:00