Phil Carmody [Wed, 2 Jul 2014 15:21:24 +0000 (18:21 +0300)]
lib-http: test-http-url - add some tricky invalid numeric hostname URLs
Try to get the numeric octet parser to fail. The RFCs specify that we should
fall back onto parsing them as domain names instead, and hence the unexpected
legitimacy of out-of-range numbers.
NOTE: This causes make check to report the following error:
http url valid [11]: http_url_parse(http://127.0.0.284/this/also/reverts/to/DNS) : ok
test-http-url.c:328: Assert failed: urlp->have_host_ip == urlt->have_host_ip
http url valid [11] .................................................. : FAILED
Phil Carmody [Wed, 2 Jul 2014 15:21:24 +0000 (18:21 +0300)]
lib: uri-util - harden uri_parse_port against overflow
The invalid input 72817 (2^16*10/9) is parsed as a valid value.
7281 * 10 + 7 = 72817 == 7281 (mod 2^16), so the prev check fails.
Phil Carmody [Wed, 2 Jul 2014 15:21:24 +0000 (18:21 +0300)]
imap: harden read_uoff_t() against overflow
Invalid strings like "20496382304121724029" (2^64*10/9) can be parsed
as valid. Use the new helper.
Change in error behaviour - previously overflows, if they were detected,
caused *p to point to the digit causing the overflow. Now it's undefined.
Current clients don't care about this difference, they just bail.
Phil Carmody [Wed, 2 Jul 2014 15:21:24 +0000 (18:21 +0300)]
lib: strnum - add a permissive uoff_t parser
Functions like these are so cookie-cutter, we may as well use a macro.
Note that signed helpers, if they ever appear, will need more care.
Phil Carmody [Wed, 2 Jul 2014 15:21:24 +0000 (18:21 +0300)]
lib: test-strnum - tests for the new partial-string parser
We can simplify the main tests by always testing whether an appended
non-digit causes parsing to fail at the same time that we test it doesn't
fail with the new more permissive helpers.
Phil Carmody [Wed, 2 Jul 2014 15:21:24 +0000 (18:21 +0300)]
lib: strnum - add permissive partial-string integer parser
Not all strings we want to parse are already strtok'ed into separate pieces.
Therefore add helpers which will read the integer, and return a pointer
past the parsed integer.
The previous helpers can be considered a special case which just follows up
with a check that the '\0' has been reached.
Showing a preference for const pointers generally, this does not try to
mimic the non-const interface of strto{l,ul,ll,ull}().
Phil Carmody [Wed, 2 Jul 2014 15:21:24 +0000 (18:21 +0300)]
lib-imap: number parsing simplification and hardenning
The invalid string "4772185884" (2^32*10/9) will be misparsed as being valid.
In uint32_t's, 477218588 * 10 + 4 = 477218588
Many large ranges have this issue, 477218588x-858993459x, 954437176x-...
Do not perform operations which might wrap, and then try to detect the issue,
just compare with the known fixed bounds before doing the multiplication.
Phil Carmody [Wed, 2 Jul 2014 15:21:24 +0000 (18:21 +0300)]
lib: test-lib - add unit tests for str_to_*() helpers
This doesn't test all the helpers, but ensures both signed and unsigned
are tested, as are 32-bit and 64-bit cases. All the other helpers fall
back onto using one of those cases. Unless uintmax_t is larger than 64
bits, in which case this needs a revisit.
NOTE: This causes the following make check errors:
test-strnum.c:35: Assert(#7) failed: ret == u64tests[i].ret
test-strnum.c:35: Assert(#10) failed: ret == u64tests[i].ret
test-strnum.c:37: Assert(#10) failed: val == u64tests[i].val
str_to_uint64 ........................................................ : FAILED
Corresponding to test cases:
[7] = INVALID(18446744073709551616),
This does not wrap-past-0 (become smaller) on multiply, but wraps-past-0 on addition.
[10]= INVALID(20496382304121724020),
This wraps-past-n (becomes larger) on multiply.
Timo Sirainen [Mon, 30 Jun 2014 11:35:32 +0000 (14:35 +0300)]
lib-storage: Shrink "mailbox is being deleted" timeout from 5 mins to 30 secs.
Even 30s may be too much since normally a few seconds would be enough, but
keep it high enough just in case.
Timo Sirainen [Mon, 30 Jun 2014 11:34:00 +0000 (14:34 +0300)]
lib-storage: When deleting mailbox, finish the expunges before marking mailbox deleted.
This decreases the amount of time the mailbox is visible but not accessible.
Timo Sirainen [Mon, 30 Jun 2014 11:30:43 +0000 (14:30 +0300)]
lib-storage: Added index_storage_mailbox_delete_pre/post().
This avoids reimplementing the whole index_storage_mailbox_delete() for
storage backends that need to do more work in the middle.
Stephan Bosch [Fri, 27 Jun 2014 14:39:52 +0000 (17:39 +0300)]
imap-url: Fixed handling of ipath-empty syntax (basically empty relative URLs).
This also normalizes Mailbox/ to Mailbox.
Initial indication reported by Coverity.
Phil Carmody [Fri, 27 Jun 2014 13:20:25 +0000 (16:20 +0300)]
lib: rand - force reseeding with known seed from environment
Use DOVECOT_SRAND=12345 as an environmental variable to force seeding
to that number.
The logic behind the logging is that the subsequent calls will almost
certainly be from random_fill_weak() which expects to have been seeded
from a CSPRNG - not a constant! Having this environmental variable set
in a production system that expects CSPRNG seeding should be flagging
diagnostics.
Phil Carmody [Fri, 27 Jun 2014 13:17:50 +0000 (16:17 +0300)]
lib: remove unwanted srand()s from unit tests
We'll get better coverage without them.
Note: this change causes the following test case failure occasionally:
test-istream-concat.c:88: Assert failed: size >= TEST_MAX_BUFFER_SIZE
istream concat random ................................................ : FAILED
test: random seed #1 was 1403027537
Phil Carmody [Fri, 27 Jun 2014 13:17:07 +0000 (16:17 +0300)]
lib-test: use the new srand() tracking helpers to aid debugging
We can only be sure we know the entirity of the stream of numbers returned
by rand if rand_set_seed has been called precisely once, as after that we
can't be sure when it was called a 2nd or further time. However, at least
we can know that that has happened. (Likewise, any calls to srand() will
disturb the flow.)
Most unit test cases should be simple enough that there should be only one
seeding.
Phil Carmody [Fri, 27 Jun 2014 13:16:16 +0000 (16:16 +0300)]
lib: use new srand() wrapper in lib
Of course, multiple seeding calls make it harder to know exactly
what numbers have been generated. But this is better than nothing.
Phil Carmody [Fri, 27 Jun 2014 13:15:24 +0000 (16:15 +0300)]
lib: add rand helper library
Initially, just wrap srand() so that we can find out what the last-used
seed was. In situations where srand() is called only once (via this helper)
this lets us reproduce exactly the same stream of random data again in
order to reproduce rare crashes.
Phil Carmody [Fri, 27 Jun 2014 13:13:37 +0000 (16:13 +0300)]
lib: two quite literally random little cleanups
file-dotlock.c does not use randgen.h, remove the #include
test-buffer.c random() has been used rather than rand()
Phil Carmody [Fri, 27 Jun 2014 13:13:09 +0000 (16:13 +0300)]
lib: make printf_format_fix safer against shadowed %m behaviour
If there's a %m followed by a %n or %m, then the %n or %m won't be seen.
For %m, that's mostly harmless, but for %n it's potentially kaboom.
Timo Sirainen [Thu, 26 Jun 2014 17:46:21 +0000 (20:46 +0300)]
lib: iostream-rawlog now supports TCP target with "tcp:host:port" as the path.
We'll use blocking sockets, so a slow rawlog server causes performance
problems also for Dovecot while it's waiting on rawlog writes.
Timo Sirainen [Thu, 26 Jun 2014 14:50:57 +0000 (17:50 +0300)]
lib-storage: BODYSTRUCTURE parsing failures weren't treated correctly.
We still assumed that the parsing succeeded and assert-crashed later or
maybe returned invalid results. (This could have happened only if there was
a problem reading the mail stream.)
Timo Sirainen [Thu, 26 Jun 2014 14:27:22 +0000 (17:27 +0300)]
dbox: mail_get_special() may have returned MAIL_FETCH_POP3_ORDER allocated from data stack.
Although this seems to have worked for now, it shouldn't have been done.
Timo Sirainen [Fri, 20 Jun 2014 09:18:32 +0000 (12:18 +0300)]
lib: fd_recv() no longer checks for msghdr.msg_controllen
It doesn't work at least in OpenBSD and Tru64, and apparently it shouldn't
really be needed anyway, so don't bother with it. We'll still keep checking
the cmsghdr since that appears to work everywhere now.
Timo Sirainen [Thu, 19 Jun 2014 14:16:24 +0000 (17:16 +0300)]
mbox: istream-tee wasn't being used as expected with the new changes, causing crashes/hangs.
After wondering about this for a while I decided this was the only fully
reliable way of doing this. Although it would have been possible to change
the istream-tee code to support this:
child1 and child2 are tee-istream children:
- i_stream_read(child1)
- i_stream_read(child2)
- i_stream_get_data(child1)
Because reading from the parent istream-tee updates all of its childrens'
buffer, there's no big problem (other than access_counter currently messing
up). But if one of the children weren't a direct child of tee-istream, but
there was a wrapper istream, the wrapper's buffer wouldn't have been updated
by the istream-tee read. So rather than spending time figuring out to fix
the access_counter it's probably better to have it clearly fail as the use
case can't be fully safe anyway.
Timo Sirainen [Thu, 19 Jun 2014 12:50:40 +0000 (15:50 +0300)]
lmtp: Create all proxy DATA streams before reading from them.
I'm not sure if this actually fixes anything or not, but it's still safer
to do it this way.
Timo Sirainen [Thu, 19 Jun 2014 12:15:24 +0000 (15:15 +0300)]
lib: i_stream_read_copy_from_parent() now directly updates the access counter
This fixes a bug in istream-mail where it called i_stream_get_data() after
it and reset the stream's skip/pos.
Timo Sirainen [Thu, 19 Jun 2014 10:52:36 +0000 (13:52 +0300)]
lib: If two istreams share one parent, i_stream_get_data() may have returned corrupted data to another.
This happened only for istreams that used parent's buffer directly instead
of having their own buffer. For now at least we've solved this by truncating
the other stream's buffer so it needs to be read again. Hopefully this is
good enough.
Timo Sirainen [Mon, 16 Jun 2014 16:52:11 +0000 (19:52 +0300)]
login proxy: Added login_source_ips setting.
The setting contains a list of IPs/hosts. The setting may be prefixed with
"?" character to indicate that only those IPs should be used that exist in
the current server (allowing the same config to be shared by multiple
servers).
The IPs are used round robin as the source IP address when proxy creates TCP
connections. This becomes useful when there are a ton of connections from
the proxy to the same destination IP, because TCP ports run out after ~64k
connections.
Phil Carmody [Sat, 14 Jun 2014 08:58:57 +0000 (11:58 +0300)]
trivial variable-non-use fixes
Flagged by coverity. In one, as we're printing an error message, we
can actually put the string to use, which might aid debugging. In
the other, the variable can just be killed.
Phil Carmody [Fri, 13 Jun 2014 13:12:27 +0000 (16:12 +0300)]
fts-lucene: Fix SnowballAnalyzer constructors
Coverity found the uninitialised pointers in the latter constructor (which
is never used - kill it?). In comparing the other constructor, the lack of
strdup() jumped out at me.
In fixing them both I migrated them to actual C++ initialisers, rather than
dumb assignments to uninitialised members. Also migrated to dovecot's i_*
functions. Also fixed indentation for the 3 functions touched.
Timo Sirainen [Fri, 13 Jun 2014 12:14:44 +0000 (15:14 +0300)]
Added several asserts to make sure duplicates aren't inserted into hash table.
The previous commit hopefully fixed the problem causing auth and login
processes to sometimes die with "key not found from hash" error, but if not
maybe one of these will catch it.
Timo Sirainen [Fri, 13 Jun 2014 12:13:26 +0000 (15:13 +0300)]
lib-master: Fixed caching settings where both local_name and local_ip was specified.
Since cache_find() didn't use local_ip for a lookup when local_name existed,
cache_add() shouldn't add both of them either, otherwise it could be
inserting duplicate values to the cache hash and cause crashes.
Timo Sirainen [Thu, 12 Jun 2014 23:54:21 +0000 (02:54 +0300)]
imap, pop3: Remove the client from clients-list at the very end of the destroy function.
Especially with imap code the process title could have been refreshed too
early.
Timo Sirainen [Thu, 12 Jun 2014 22:30:14 +0000 (01:30 +0300)]
lib-storage: Fixed parsing corrupted mailbox list index header.
Duplicate IDs should have caused an error instead of being silently ignored.
Found by Coverity
Timo Sirainen [Thu, 12 Jun 2014 22:20:25 +0000 (01:20 +0300)]
lib-otp: OTP_MAX_WORD_LEN wasn't actually enforced, any word lengths could have been used.
Doesn't look like this could have caused any real problems.
Found by Coverity
Timo Sirainen [Thu, 12 Jun 2014 22:11:24 +0000 (01:11 +0300)]
fts: Improved doveadm fts dump for corrupted expunge log
Although we may still be trying to allocate up to 2 GB of memory, but at
least no more than that now.
Found by Coverity
Timo Sirainen [Thu, 12 Jun 2014 22:02:48 +0000 (01:02 +0300)]
lib: Fixed file_dotlock_replace(flags=DOTLOCK_REPLACE_FLAG_VERIFY_OWNER|DOTLOCK_REPLACE_FLAG_DONT_CLOSE_FD)
The verification check failed because fd was already set to -1 by that time.
Found by Coverity
Timo Sirainen [Thu, 12 Jun 2014 21:51:44 +0000 (00:51 +0300)]
imapc: Avoid crashing if server happens to send invalid resp-text-codes.
If [KEY VALUE] is missing the VALUE, just set it to "" instead of NULL.
Found by Coverity
Timo Sirainen [Thu, 12 Jun 2014 21:30:27 +0000 (00:30 +0300)]
auth: Invalid userdb passwd-file and userdb templates may have caused crashes.
Using just "key" parameter instead of "key=value" usually worked, but for
some keys the code assumed that there was a value and it dereferenced NULL.
We'll solve this by just using value="" instead of value=NULL.
Found by Coverity
projects / thirdparty / dovecot / core.git / log
