Phil Carmody [Thu, 10 Jul 2014 12:59:53 +0000 (15:59 +0300)]
lib: test-istream-tee - verify _read returns correct values after _set_size()
Previously, only an increase of 1 in the size was tested. This ensures that
0 and numbers > 1 are also tested.
Also add _idx to the asserts, so we know where in the loop it failed.
Phil Carmody [Thu, 10 Jul 2014 12:59:53 +0000 (15:59 +0300)]
lib: test-istream-concat - test only concat, not simultanious limit streams
Test just concat functionality in this unit test. Simultanious access of
limit streams can be tested elsewhere.
Without the fix in: 31efe2d04793 lib: istream-concat read() returned -2 too early.
The failure previously seen in test-istream-concat would be still reproducable:
test-istream-concat.c:84: Assert failed: size >= TEST_MAX_BUFFER_SIZE
istream concat random ................................................ : FAILED
test: random seed #1 was 1403118493
Timo Sirainen [Mon, 7 Jul 2014 13:21:08 +0000 (16:21 +0300)]
lib-index: Don't update log_file_tail_offset unnecessarily.
Update it only if we're already writing to transaction log anyway or if
we're required to update the offset because mail_index_sync_commit() has
increased it past non-external transactions (this is especially important
with mdbox map index).
Timo Sirainen [Mon, 7 Jul 2014 10:24:22 +0000 (13:24 +0300)]
lib-storage: Minor code cleanup to istream-mail.
eof=TRUE shouldn't be possible with ret=-2, so this just makes it clearer
what the code's intention is.
Timo Sirainen [Fri, 4 Jul 2014 12:33:12 +0000 (15:33 +0300)]
lib: istream-tee wasn't returning data correctly always.
This fixes an assert-crash in istream-tee.c. (Hopefully it was always
assert-crashing instead of returning corrupted data.)
Phil Carmody [Fri, 4 Jul 2014 11:48:44 +0000 (14:48 +0300)]
lib: failures - cosmetic write_full cleanup
Error message should have a trailing newline.
Use the POSIX macro for stderr's file number, rather than its numeric value.
Timo Sirainen [Fri, 4 Jul 2014 11:01:53 +0000 (14:01 +0300)]
lib-storage: Log mail istream read failures in one place.
Also handle ENOENT errors by checking if the mail has already been expunged,
and if so don't log an error, just return "mail is already expunged" error
to client.
Timo Sirainen [Fri, 4 Jul 2014 10:16:01 +0000 (13:16 +0300)]
lib-storage: If mail body reading failed, the error message may have contained only minimal errno string.
Even though the istream could have had a much better internal error message.
So show it.
Timo Sirainen [Thu, 3 Jul 2014 17:42:08 +0000 (20:42 +0300)]
acl: Create struct acl_mailbox also for shared root namespace mailboxes.
This fixes crashes where imap_acl code attempts to access ACLs for
nonexistent mailboxes inside shared root namespace. Alternatively the
imap_acl plugin could have checked the nonexistence of ACLs but this is
probably easier and more guaranteed to work.
Timo Sirainen [Thu, 3 Jul 2014 17:28:16 +0000 (20:28 +0300)]
lmtp: Removed code that attempts to deduplicate mail files by copying them between user mailboxes.
This sometimes started failing if the mail that was being used for copying
was deleted by the user. There's no good way for lmtp code to fix that
situation.
If deduplication is needed, it could be implemented in a more generic way
inside mailbox_copy() where after initial copy it would store the
destination struct mail to src_mail->last_copy_dest_mail. If another mail is
copied, the last_copy_dest_mail could be attempted to be used for the
copying and if that doesn't work it would fallback to regular copying. This
should probably be attempted only for lda/lmtp processes as it would just
cause extra overhead for others.
Phil Carmody [Thu, 3 Jul 2014 16:17:16 +0000 (19:17 +0300)]
openssl: optionally disable TLS compression
Make ssl compression optional, but enabled by default. Other ssl options
might be tweakable in the future, so have a single ssl_options string,
and explode it into individual flags. (Compare postfix configuration.)
Based on an idea by Andreas Schulze <sca@andreasschulze.de>
Timo Sirainen [Thu, 3 Jul 2014 16:12:02 +0000 (19:12 +0300)]
lib-storage: Added mail_namespace_is_shared_user_root() and used it where useful.
Most importantly this should fix a crash in ACL plugin where type=shared
namespace was used without any kind of per-user prefix/location (i.e. it
probably should have been a type=public namespace instead).
Timo Sirainen [Thu, 3 Jul 2014 14:44:32 +0000 (17:44 +0300)]
virtual: Never keep more than specified number of physical mailboxes open.
This should make virtual mailboxes work for users who have a a ton of
mailboxes with a ton of mails. Earlier code would likely have failed either
with "Too many open files" or crashed with "Out of memory".
You can change the max number of open mailboxes with:
Timo Sirainen [Thu, 3 Jul 2014 14:29:58 +0000 (17:29 +0300)]
lib-index: Index cache could have kept too many indexes open.
If a lot of indexes were allocated and then later on they were opened and
closed, the alloc-cache simply kept all the indexes open even after they
should have been closed.
Timo Sirainen [Thu, 3 Jul 2014 13:07:09 +0000 (16:07 +0300)]
lib: DLLIST*_REMOVE*() no longer breaks the linked list if we try to remove item that doesn't exist there.
Hopefully there wasn't any code that actually did this, but it's safer this
way anyway. Perhaps it could be even made to assert-crash if it happens.
Timo Sirainen [Thu, 3 Jul 2014 11:54:43 +0000 (14:54 +0300)]
virtual: Recent flags dropping wasn't working as intended.
In the old code '+' meant that \Recent flags were dropped also when the
virtual mailbox was EXAMINEd. SELECTing a mailbox always dropped \Recent
flags regardless of the '+' flag.
What should have happened (and does in new code) is that the \Recent flags
are dropped only on SELECT and only if '+' flag is set.
Phil Carmody [Thu, 3 Jul 2014 09:42:11 +0000 (12:42 +0300)]
lib-imap: test-imap-url - quieten successful sub-tests
Every sub-component of a URL doesn't need its own successful log, so use the
only-print-on-error test_out_quiet() function instead. All failures are just
as explicit as before.
Phil Carmody [Thu, 3 Jul 2014 09:42:11 +0000 (12:42 +0300)]
lib-test: test-common - add test_out_quiet() to reduce verbosity
Like test_out() but only prints anything if success is false.
This makes it quite much like test_assert(), except that it
doesn't print the code fragment, it prints a custom string.
However, it still counts as a test in the total count, unlike
test_assert*()s.
Timo Sirainen [Wed, 2 Jul 2014 17:36:49 +0000 (20:36 +0300)]
quota: Fixed quota_transaction_is_over() to handle "user is already over quota" case.
If size=0 we didn't return failure. This change also fixes various potential
integer overflows in the check. Added unit test for the function.
Timo Sirainen [Wed, 2 Jul 2014 17:13:35 +0000 (20:13 +0300)]
lib: Added UINT64_SUM_OVERFLOWS()
Maybe the unit tests are kind of unnecessary since the macro is so simple,
but at least it's now a well tested simple macro :)
Phil Carmody [Wed, 2 Jul 2014 15:21:24 +0000 (18:21 +0300)]
pop3: pop3-commands - harden integer parsers against integer overflow
In get_msgnum(), the invalid input "4772185884" (2^32*10/9) would be
parsed as being valid.
In get_size(), the invalid input "204963823041217240178" (2^64*10/9)
would be parsed as being valid.
Phil Carmody [Wed, 2 Jul 2014 15:21:24 +0000 (18:21 +0300)]
lib-http: test-http-url - add some tricky invalid numeric hostname URLs
Try to get the numeric octet parser to fail. The RFCs specify that we should
fall back onto parsing them as domain names instead, and hence the unexpected
legitimacy of out-of-range numbers.
NOTE: This causes make check to report the following error:
http url valid [11]: http_url_parse(http://127.0.0.284/this/also/reverts/to/DNS) : ok
test-http-url.c:328: Assert failed: urlp->have_host_ip == urlt->have_host_ip
http url valid [11] .................................................. : FAILED
Phil Carmody [Wed, 2 Jul 2014 15:21:24 +0000 (18:21 +0300)]
lib: uri-util - harden uri_parse_port against overflow
The invalid input 72817 (2^16*10/9) is parsed as a valid value.
7281 * 10 + 7 = 72817 == 7281 (mod 2^16), so the prev check fails.
Phil Carmody [Wed, 2 Jul 2014 15:21:24 +0000 (18:21 +0300)]
imap: harden read_uoff_t() against overflow
Invalid strings like "20496382304121724029" (2^64*10/9) can be parsed
as valid. Use the new helper.
Change in error behaviour - previously overflows, if they were detected,
caused *p to point to the digit causing the overflow. Now it's undefined.
Current clients don't care about this difference, they just bail.
Phil Carmody [Wed, 2 Jul 2014 15:21:24 +0000 (18:21 +0300)]
lib: strnum - add a permissive uoff_t parser
Functions like these are so cookie-cutter, we may as well use a macro.
Note that signed helpers, if they ever appear, will need more care.
Phil Carmody [Wed, 2 Jul 2014 15:21:24 +0000 (18:21 +0300)]
lib: test-strnum - tests for the new partial-string parser
We can simplify the main tests by always testing whether an appended
non-digit causes parsing to fail at the same time that we test it doesn't
fail with the new more permissive helpers.
Phil Carmody [Wed, 2 Jul 2014 15:21:24 +0000 (18:21 +0300)]
lib: strnum - add permissive partial-string integer parser
Not all strings we want to parse are already strtok'ed into separate pieces.
Therefore add helpers which will read the integer, and return a pointer
past the parsed integer.
The previous helpers can be considered a special case which just follows up
with a check that the '\0' has been reached.
Showing a preference for const pointers generally, this does not try to
mimic the non-const interface of strto{l,ul,ll,ull}().
Phil Carmody [Wed, 2 Jul 2014 15:21:24 +0000 (18:21 +0300)]
lib-imap: number parsing simplification and hardenning
The invalid string "4772185884" (2^32*10/9) will be misparsed as being valid.
In uint32_t's, 477218588 * 10 + 4 = 477218588
Many large ranges have this issue, 477218588x-858993459x, 954437176x-...
Do not perform operations which might wrap, and then try to detect the issue,
just compare with the known fixed bounds before doing the multiplication.
Phil Carmody [Wed, 2 Jul 2014 15:21:24 +0000 (18:21 +0300)]
lib: test-lib - add unit tests for str_to_*() helpers
This doesn't test all the helpers, but ensures both signed and unsigned
are tested, as are 32-bit and 64-bit cases. All the other helpers fall
back onto using one of those cases. Unless uintmax_t is larger than 64
bits, in which case this needs a revisit.
NOTE: This causes the following make check errors:
test-strnum.c:35: Assert(#7) failed: ret == u64tests[i].ret
test-strnum.c:35: Assert(#10) failed: ret == u64tests[i].ret
test-strnum.c:37: Assert(#10) failed: val == u64tests[i].val
str_to_uint64 ........................................................ : FAILED
Corresponding to test cases:
[7] = INVALID(18446744073709551616),
This does not wrap-past-0 (become smaller) on multiply, but wraps-past-0 on addition.
[10]= INVALID(20496382304121724020),
This wraps-past-n (becomes larger) on multiply.
Timo Sirainen [Mon, 30 Jun 2014 11:35:32 +0000 (14:35 +0300)]
lib-storage: Shrink "mailbox is being deleted" timeout from 5 mins to 30 secs.
Even 30s may be too much since normally a few seconds would be enough, but
keep it high enough just in case.
Timo Sirainen [Mon, 30 Jun 2014 11:34:00 +0000 (14:34 +0300)]
lib-storage: When deleting mailbox, finish the expunges before marking mailbox deleted.
This decreases the amount of time the mailbox is visible but not accessible.
Timo Sirainen [Mon, 30 Jun 2014 11:30:43 +0000 (14:30 +0300)]
lib-storage: Added index_storage_mailbox_delete_pre/post().
This avoids reimplementing the whole index_storage_mailbox_delete() for
storage backends that need to do more work in the middle.
Stephan Bosch [Fri, 27 Jun 2014 14:39:52 +0000 (17:39 +0300)]
imap-url: Fixed handling of ipath-empty syntax (basically empty relative URLs).
This also normalizes Mailbox/ to Mailbox.
Initial indication reported by Coverity.
Phil Carmody [Fri, 27 Jun 2014 13:20:25 +0000 (16:20 +0300)]
lib: rand - force reseeding with known seed from environment
Use DOVECOT_SRAND=12345 as an environmental variable to force seeding
to that number.
The logic behind the logging is that the subsequent calls will almost
certainly be from random_fill_weak() which expects to have been seeded
from a CSPRNG - not a constant! Having this environmental variable set
in a production system that expects CSPRNG seeding should be flagging
diagnostics.
Phil Carmody [Fri, 27 Jun 2014 13:17:50 +0000 (16:17 +0300)]
lib: remove unwanted srand()s from unit tests
We'll get better coverage without them.
Note: this change causes the following test case failure occasionally:
test-istream-concat.c:88: Assert failed: size >= TEST_MAX_BUFFER_SIZE
istream concat random ................................................ : FAILED
test: random seed #1 was 1403027537
Phil Carmody [Fri, 27 Jun 2014 13:17:07 +0000 (16:17 +0300)]
lib-test: use the new srand() tracking helpers to aid debugging
We can only be sure we know the entirity of the stream of numbers returned
by rand if rand_set_seed has been called precisely once, as after that we
can't be sure when it was called a 2nd or further time. However, at least
we can know that that has happened. (Likewise, any calls to srand() will
disturb the flow.)
Most unit test cases should be simple enough that there should be only one
seeding.
Phil Carmody [Fri, 27 Jun 2014 13:16:16 +0000 (16:16 +0300)]
lib: use new srand() wrapper in lib
Of course, multiple seeding calls make it harder to know exactly
what numbers have been generated. But this is better than nothing.
Phil Carmody [Fri, 27 Jun 2014 13:15:24 +0000 (16:15 +0300)]
lib: add rand helper library
Initially, just wrap srand() so that we can find out what the last-used
seed was. In situations where srand() is called only once (via this helper)
this lets us reproduce exactly the same stream of random data again in
order to reproduce rare crashes.
Phil Carmody [Fri, 27 Jun 2014 13:13:37 +0000 (16:13 +0300)]
lib: two quite literally random little cleanups
file-dotlock.c does not use randgen.h, remove the #include
test-buffer.c random() has been used rather than rand()
Phil Carmody [Fri, 27 Jun 2014 13:13:09 +0000 (16:13 +0300)]
lib: make printf_format_fix safer against shadowed %m behaviour
If there's a %m followed by a %n or %m, then the %n or %m won't be seen.
For %m, that's mostly harmless, but for %n it's potentially kaboom.
Timo Sirainen [Thu, 26 Jun 2014 17:46:21 +0000 (20:46 +0300)]
lib: iostream-rawlog now supports TCP target with "tcp:host:port" as the path.
We'll use blocking sockets, so a slow rawlog server causes performance
problems also for Dovecot while it's waiting on rawlog writes.
Timo Sirainen [Thu, 26 Jun 2014 14:50:57 +0000 (17:50 +0300)]
lib-storage: BODYSTRUCTURE parsing failures weren't treated correctly.
We still assumed that the parsing succeeded and assert-crashed later or
maybe returned invalid results. (This could have happened only if there was
a problem reading the mail stream.)
projects / thirdparty / dovecot / core.git / log
