Timo Sirainen [Tue, 5 Aug 2014 15:43:31 +0000 (17:43 +0200)]
lib-http server: Require handle_request() to either send a response or reference the request.
This should make it more difficult to accidentally forget to send a
response and cause a hang.
Currently this assert-crashes, although it would have been possible to make
it return some internal error instead also.
Timo Sirainen [Tue, 5 Aug 2014 14:07:25 +0000 (16:07 +0200)]
lib-http server: Removed "bool close" parameters in favor of _close() functions.
Most callers don't want to close the connection so it's an extra parameter
usually. Also it's difficult to remember what the TRUE/FALSE means so it's
easy to cause bugs by copy&pasting the code.
http_server_request_fail() will also now forcibly close the connection if
conn->input_broken is set.
Phil Carmody [Wed, 30 Jul 2014 12:01:29 +0000 (15:01 +0300)]
lib: test-data-stack - add some fatal tests.
Extra caution is necessary as data-stack is such a fundamental component.
All of the brokenness that we add must be undone as soon as possible, or
there will be an endless loop of catastrophic errors. In order to avoid
that, at least try to detect some issues, and abort as quickly as possible.
Alas, due to the reliance of these tests on DEBUG code, if that's not set,
this test is a no-op.
Phil Carmody [Wed, 30 Jul 2014 12:01:29 +0000 (15:01 +0300)]
lib-test: permit tests of fatal conditions
Some functions have no mechanism of reporting an error, and mustn't continue,
so fatality is the only way out. (E.g. memory allocation failures.)
This addition is for those situations. Semantics of failure tests are very
different from normal tests:
- The test function must have the following prototype:
enum fatal_test_state test_fatal_things(int index);
- The index it will be called with starts at 0, and increments each time.
- It must call test_start() at the start of its first call.
- Apart from its final call, it must call a function it expects to trap the
fatal error handler. If that fails to trap, it must return FATAL_TEST_FAILURE
- After returning FATAL_TEST_FAILURE, it will continue to be called as normal.
- When there are no more tests to perform, it must clean up, call test_end()
and return FATAL_TEST_FINISHED. It will not be called again.
- If it detects errors in this protocol, it must not i_assert(), as that will
be treated as an expected fatal, it must return FATAL_TEST_ABORT. It will
then not be called again. It must not call test_end() in this case.
Timo Sirainen [Tue, 29 Jul 2014 14:27:24 +0000 (17:27 +0300)]
quota: Avoid assert-crash in Maildir++ quota if backend doesn't support control dirs.
We'll delay looking up the control dir until we've checked that the storage
is Maildir.
Timo Sirainen [Tue, 29 Jul 2014 10:58:10 +0000 (13:58 +0300)]
mbox: Fixed infinite looping and other incorrectness in istream-raw-mbox.
This was caused by the recent istream invalidation checks in
i_stream_get_data().
Phil Carmody [Mon, 28 Jul 2014 13:49:47 +0000 (16:49 +0300)]
lib-imap: imap-utf7 - reject encoded simple ASCII
"Modified BASE64 MUST NOT be used to represent any printing US-ASCII
character which can represent itself."
"The character "&" (0x26) is represented by the two-octet sequence "&-""
Therefore any mBASE64 sequence containing any character between 0x20 and
0x7e is invalid.
Phil Carmody [Mon, 28 Jul 2014 13:49:47 +0000 (16:49 +0300)]
lib-imap: imap-utf7 - reject bogus characters in the mUTF7
Only 0x20..0x7e are permitted, as "All other characters (octet values
0x00-0x1f and 0x7f-0xff) are represented in modified BASE64, ...".
Phil Carmody [Mon, 28 Jul 2014 13:45:33 +0000 (16:45 +0300)]
lib-test: make internal helpers static
These functions should only be called from within test_run(), as some of the
test-suite sanity checks can be subvirted if these are exposed.
Phil Carmody [Mon, 28 Jul 2014 13:45:33 +0000 (16:45 +0300)]
lib: compile time checks for buffer creation
Ensure the data buffer has as much space as the size parameter claims.
This uses the strictest test GCC provides - the smallest containing object,
and returning 0 for unknown size.
Phil Carmody [Mon, 28 Jul 2014 13:45:33 +0000 (16:45 +0300)]
lib: data-stack - start sentry checks immediately after the reserved buffer
Our sentries are written with byte-precision, no need to round up before
doing the checks.
Phil Carmody [Mon, 28 Jul 2014 13:45:33 +0000 (16:45 +0300)]
lib: data-stack - fix incorrect pointer comparison in t_try_realloc in DEBUG builds
When trying to work out if it's a valid realloc, we need to remember
that in DEBUG builds, we have hidden a size value (in a MEM_ALIGNED
space) before the pointer we return.
Phil Carmody [Mon, 28 Jul 2014 13:45:33 +0000 (16:45 +0300)]
lib: data-stack - fix realloc/lowwater bug
If DEBUG is enabled, then it can try to look past the low-water mark
as the low-water mark wasn't moved during successful reallocs. This
condition is detected, and causes a panic.
Phil Carmody [Mon, 28 Jul 2014 13:45:33 +0000 (16:45 +0300)]
lib: data-stack - pull common code out of if/else branches in t_malloc_real
Once the new block is set up nicely empty for use, it can be used exactly
like an old block that has enough space - so just merge the code paths.
(This changeset best viewed ignoring whitespace.)
Phil Carmody [Mon, 28 Jul 2014 13:45:33 +0000 (16:45 +0300)]
lib: data-stack - reorder full current block code
Make the "enough space" and "block is full" branches in t_malloc_real
have the same code structure for parallelism. The 'block' variable is only
needed very locally, so shrink its scope, and avoid its use once it is
assigned to current_block, use that instead. Compacter readable expressions
have been favoured at the expense of longer lines (which will soon shrink).
Phil Carmody [Mon, 28 Jul 2014 13:45:33 +0000 (16:45 +0300)]
lib: data-stack - helper macro for requested/allocated size
Rather than #if/#else/#endif around such calculations, or even
having the possibility to mistype such expressions, just extract
the calculation into a helper macro defined appropriately for
the DEBUG mode.
Phil Carmody [Mon, 28 Jul 2014 13:45:33 +0000 (16:45 +0300)]
lib: data-stack - disambiguate sizes in t_pop_verify
In DEBUG mode, the allocated size is bigger than the requested size, so
rename the variable to reflect its real meaning, and move it into a
tighter scope in the process.
Phil Carmody [Mon, 28 Jul 2014 13:45:33 +0000 (16:45 +0300)]
lib: test-data-stack - too important a library not to be thrashed hard
OK, it's thrashed a bit by other tests such as aqueue, str, etc., but these
tests attempt to probe all corner cases given detailed knowledge of the
limits of the block/frame implementation.
At the moment, no realloc functionality is tested, as with DEBUG builds
they would fail very noisily.
Phil Carmody [Mon, 28 Jul 2014 13:45:33 +0000 (16:45 +0300)]
lib: data-stack - enable tighter sanity checks on stack_block allocations
The canary doesn't have to be NULL. That's only effective if it will be read
and dereferenced as a pointer. If used as an integer, it's a perfectly boring
one, and not likely to draw attention to itself.
Once the canary is in place, at least in debug mode, we can check it in
every function as a sanity check.
Make our poison stand out from other poison used elsewhere in the code.
Phil Carmody [Mon, 28 Jul 2014 13:45:33 +0000 (16:45 +0300)]
lib: add rudementary statistics gathering to data-stack debugging
These currently just enhance the overly-large alloc_size warning
message in t_malloc_real() to show what the history of allocations
is. New warnings look like this:
Warning: Growing data stack by 32768 as 'test_run_funcs' reaches 16416 bytes from 202 allocations.
Future possible directions:
t_malloc_real() could be further modified to identify badly-behaved
regions of code that allocate lots of smaller blocks as it happens
(which might be noisy). t_pop() could be modified to detect such code
after it exits its block (so just one warning per instance of
misbehaviour).
Phil Carmody [Mon, 28 Jul 2014 13:45:33 +0000 (16:45 +0300)]
lib: add identifying markers to data-stack frames
Add a string parameter to t_push() so that in DEBUG mode,
misbehaviour inside a stack level can be blamed on someone.
Default the T_BEGIN macro to automatigally use __FUNCTION__ or
__FILE__:__LINE__ as that identifier, therefore no clients of
those macros need to change.
ioloop used t_push() directly as it wanted customised diagnostic
strings. To preserve this friendliness, also introduce a t_push_named()
which takes a format string with paramters.
Apart from the unused paramter, a non-DEBUG build should see no
changes.
Timo Sirainen [Mon, 28 Jul 2014 12:14:17 +0000 (15:14 +0300)]
lib-storage: Don't allow '/' for filesystem based mailbox list backends if their internal separator isn't '/'.
Basically this means that Maildir++ shouldn't be allowed to create mailboxes
with '/' in the name.
Timo Sirainen [Fri, 11 Jul 2014 09:10:02 +0000 (12:10 +0300)]
lib: Added fd=-1 assert to i_close_fd() macro.
This way we'll see clearly where it fails, instead of just seeing assert in
close_keep_errno() without an easy way to see where it crashed.
Timo Sirainen [Fri, 11 Jul 2014 08:14:41 +0000 (11:14 +0300)]
lib: ioloop-epoll didn't correctly check if there were any IO events.
Alternatively we could have checked for array_count(&ctx->events) >
ctx->deleted_count, but this code is a bit more understandable.
This change doesn't actually fix any proper bugs, it just causes the process
to crash instead of going to infinite wait loop.
Timo Sirainen [Thu, 10 Jul 2014 15:31:10 +0000 (18:31 +0300)]
lmtp: Remove <> from Delivered-To: header.
This annoyingly changes Dovecot behavior in the middle of v2.2.x series, but
the earlier value was definitely wrong.. Perhaps we still need to provide a
setting for this, but that's pretty annoying as well.
Phil Carmody [Thu, 10 Jul 2014 12:59:53 +0000 (15:59 +0300)]
lib: test-istream-tee - randomise which tee stream lags behind the others
Just in case there's something special about the start or the end of the
list of children, make each file be the one that lags behind the others.
Phil Carmody [Thu, 10 Jul 2014 12:59:53 +0000 (15:59 +0300)]
lib: test-istream-tee - verify _read returns correct values after _set_size()
Previously, only an increase of 1 in the size was tested. This ensures that
0 and numbers > 1 are also tested.
Also add _idx to the asserts, so we know where in the loop it failed.
Phil Carmody [Thu, 10 Jul 2014 12:59:53 +0000 (15:59 +0300)]
lib: test-istream-concat - test only concat, not simultanious limit streams
Test just concat functionality in this unit test. Simultanious access of
limit streams can be tested elsewhere.
Without the fix in: 31efe2d04793 lib: istream-concat read() returned -2 too early.
The failure previously seen in test-istream-concat would be still reproducable:
test-istream-concat.c:84: Assert failed: size >= TEST_MAX_BUFFER_SIZE
istream concat random ................................................ : FAILED
test: random seed #1 was 1403118493
Timo Sirainen [Mon, 7 Jul 2014 13:21:08 +0000 (16:21 +0300)]
lib-index: Don't update log_file_tail_offset unnecessarily.
Update it only if we're already writing to transaction log anyway or if
we're required to update the offset because mail_index_sync_commit() has
increased it past non-external transactions (this is especially important
with mdbox map index).
Timo Sirainen [Mon, 7 Jul 2014 10:24:22 +0000 (13:24 +0300)]
lib-storage: Minor code cleanup to istream-mail.
eof=TRUE shouldn't be possible with ret=-2, so this just makes it clearer
what the code's intention is.
Timo Sirainen [Fri, 4 Jul 2014 12:33:12 +0000 (15:33 +0300)]
lib: istream-tee wasn't returning data correctly always.
This fixes an assert-crash in istream-tee.c. (Hopefully it was always
assert-crashing instead of returning corrupted data.)
Phil Carmody [Fri, 4 Jul 2014 11:48:44 +0000 (14:48 +0300)]
lib: failures - cosmetic write_full cleanup
Error message should have a trailing newline.
Use the POSIX macro for stderr's file number, rather than its numeric value.
Timo Sirainen [Fri, 4 Jul 2014 11:01:53 +0000 (14:01 +0300)]
lib-storage: Log mail istream read failures in one place.
Also handle ENOENT errors by checking if the mail has already been expunged,
and if so don't log an error, just return "mail is already expunged" error
to client.
Timo Sirainen [Fri, 4 Jul 2014 10:16:01 +0000 (13:16 +0300)]
lib-storage: If mail body reading failed, the error message may have contained only minimal errno string.
Even though the istream could have had a much better internal error message.
So show it.
Timo Sirainen [Thu, 3 Jul 2014 17:42:08 +0000 (20:42 +0300)]
acl: Create struct acl_mailbox also for shared root namespace mailboxes.
This fixes crashes where imap_acl code attempts to access ACLs for
nonexistent mailboxes inside shared root namespace. Alternatively the
imap_acl plugin could have checked the nonexistence of ACLs but this is
probably easier and more guaranteed to work.
Timo Sirainen [Thu, 3 Jul 2014 17:28:16 +0000 (20:28 +0300)]
lmtp: Removed code that attempts to deduplicate mail files by copying them between user mailboxes.
This sometimes started failing if the mail that was being used for copying
was deleted by the user. There's no good way for lmtp code to fix that
situation.
If deduplication is needed, it could be implemented in a more generic way
inside mailbox_copy() where after initial copy it would store the
destination struct mail to src_mail->last_copy_dest_mail. If another mail is
copied, the last_copy_dest_mail could be attempted to be used for the
copying and if that doesn't work it would fallback to regular copying. This
should probably be attempted only for lda/lmtp processes as it would just
cause extra overhead for others.
Phil Carmody [Thu, 3 Jul 2014 16:17:16 +0000 (19:17 +0300)]
openssl: optionally disable TLS compression
Make ssl compression optional, but enabled by default. Other ssl options
might be tweakable in the future, so have a single ssl_options string,
and explode it into individual flags. (Compare postfix configuration.)
Based on an idea by Andreas Schulze <sca@andreasschulze.de>
Timo Sirainen [Thu, 3 Jul 2014 16:12:02 +0000 (19:12 +0300)]
lib-storage: Added mail_namespace_is_shared_user_root() and used it where useful.
Most importantly this should fix a crash in ACL plugin where type=shared
namespace was used without any kind of per-user prefix/location (i.e. it
probably should have been a type=public namespace instead).
projects / thirdparty / dovecot / core.git / log
