Phil Carmody [Mon, 28 Jul 2014 13:45:33 +0000 (16:45 +0300)]
lib: data-stack - fix incorrect pointer comparison in t_try_realloc in DEBUG builds
When trying to work out if it's a valid realloc, we need to remember
that in DEBUG builds, we have hidden a size value (in a MEM_ALIGNED
space) before the pointer we return.
Phil Carmody [Mon, 28 Jul 2014 13:45:33 +0000 (16:45 +0300)]
lib: data-stack - fix realloc/lowwater bug
If DEBUG is enabled, then it can try to look past the low-water mark
as the low-water mark wasn't moved during successful reallocs. This
condition is detected, and causes a panic.
Phil Carmody [Mon, 28 Jul 2014 13:45:33 +0000 (16:45 +0300)]
lib: data-stack - pull common code out of if/else branches in t_malloc_real
Once the new block is set up nicely empty for use, it can be used exactly
like an old block that has enough space - so just merge the code paths.
(This changeset best viewed ignoring whitespace.)
Phil Carmody [Mon, 28 Jul 2014 13:45:33 +0000 (16:45 +0300)]
lib: data-stack - reorder full current block code
Make the "enough space" and "block is full" branches in t_malloc_real
have the same code structure for parallelism. The 'block' variable is only
needed very locally, so shrink its scope, and avoid its use once it is
assigned to current_block, use that instead. Compacter readable expressions
have been favoured at the expense of longer lines (which will soon shrink).
Phil Carmody [Mon, 28 Jul 2014 13:45:33 +0000 (16:45 +0300)]
lib: data-stack - helper macro for requested/allocated size
Rather than #if/#else/#endif around such calculations, or even
having the possibility to mistype such expressions, just extract
the calculation into a helper macro defined appropriately for
the DEBUG mode.
Phil Carmody [Mon, 28 Jul 2014 13:45:33 +0000 (16:45 +0300)]
lib: data-stack - disambiguate sizes in t_pop_verify
In DEBUG mode, the allocated size is bigger than the requested size, so
rename the variable to reflect its real meaning, and move it into a
tighter scope in the process.
Phil Carmody [Mon, 28 Jul 2014 13:45:33 +0000 (16:45 +0300)]
lib: test-data-stack - too important a library not to be thrashed hard
OK, it's thrashed a bit by other tests such as aqueue, str, etc., but these
tests attempt to probe all corner cases given detailed knowledge of the
limits of the block/frame implementation.
At the moment, no realloc functionality is tested, as with DEBUG builds
they would fail very noisily.
Phil Carmody [Mon, 28 Jul 2014 13:45:33 +0000 (16:45 +0300)]
lib: data-stack - enable tighter sanity checks on stack_block allocations
The canary doesn't have to be NULL. That's only effective if it will be read
and dereferenced as a pointer. If used as an integer, it's a perfectly boring
one, and not likely to draw attention to itself.
Once the canary is in place, at least in debug mode, we can check it in
every function as a sanity check.
Make our poison stand out from other poison used elsewhere in the code.
Phil Carmody [Mon, 28 Jul 2014 13:45:33 +0000 (16:45 +0300)]
lib: add rudementary statistics gathering to data-stack debugging
These currently just enhance the overly-large alloc_size warning
message in t_malloc_real() to show what the history of allocations
is. New warnings look like this:
Warning: Growing data stack by 32768 as 'test_run_funcs' reaches 16416 bytes from 202 allocations.
Future possible directions:
t_malloc_real() could be further modified to identify badly-behaved
regions of code that allocate lots of smaller blocks as it happens
(which might be noisy). t_pop() could be modified to detect such code
after it exits its block (so just one warning per instance of
misbehaviour).
Phil Carmody [Mon, 28 Jul 2014 13:45:33 +0000 (16:45 +0300)]
lib: add identifying markers to data-stack frames
Add a string parameter to t_push() so that in DEBUG mode,
misbehaviour inside a stack level can be blamed on someone.
Default the T_BEGIN macro to automatigally use __FUNCTION__ or
__FILE__:__LINE__ as that identifier, therefore no clients of
those macros need to change.
ioloop used t_push() directly as it wanted customised diagnostic
strings. To preserve this friendliness, also introduce a t_push_named()
which takes a format string with paramters.
Apart from the unused paramter, a non-DEBUG build should see no
changes.
Timo Sirainen [Mon, 28 Jul 2014 12:14:17 +0000 (15:14 +0300)]
lib-storage: Don't allow '/' for filesystem based mailbox list backends if their internal separator isn't '/'.
Basically this means that Maildir++ shouldn't be allowed to create mailboxes
with '/' in the name.
Timo Sirainen [Fri, 11 Jul 2014 09:10:02 +0000 (12:10 +0300)]
lib: Added fd=-1 assert to i_close_fd() macro.
This way we'll see clearly where it fails, instead of just seeing assert in
close_keep_errno() without an easy way to see where it crashed.
Timo Sirainen [Fri, 11 Jul 2014 08:14:41 +0000 (11:14 +0300)]
lib: ioloop-epoll didn't correctly check if there were any IO events.
Alternatively we could have checked for array_count(&ctx->events) >
ctx->deleted_count, but this code is a bit more understandable.
This change doesn't actually fix any proper bugs, it just causes the process
to crash instead of going to infinite wait loop.
Timo Sirainen [Thu, 10 Jul 2014 15:31:10 +0000 (18:31 +0300)]
lmtp: Remove <> from Delivered-To: header.
This annoyingly changes Dovecot behavior in the middle of v2.2.x series, but
the earlier value was definitely wrong.. Perhaps we still need to provide a
setting for this, but that's pretty annoying as well.
Phil Carmody [Thu, 10 Jul 2014 12:59:53 +0000 (15:59 +0300)]
lib: test-istream-tee - randomise which tee stream lags behind the others
Just in case there's something special about the start or the end of the
list of children, make each file be the one that lags behind the others.
Phil Carmody [Thu, 10 Jul 2014 12:59:53 +0000 (15:59 +0300)]
lib: test-istream-tee - verify _read returns correct values after _set_size()
Previously, only an increase of 1 in the size was tested. This ensures that
0 and numbers > 1 are also tested.
Also add _idx to the asserts, so we know where in the loop it failed.
Phil Carmody [Thu, 10 Jul 2014 12:59:53 +0000 (15:59 +0300)]
lib: test-istream-concat - test only concat, not simultanious limit streams
Test just concat functionality in this unit test. Simultanious access of
limit streams can be tested elsewhere.
Without the fix in: 31efe2d04793 lib: istream-concat read() returned -2 too early.
The failure previously seen in test-istream-concat would be still reproducable:
test-istream-concat.c:84: Assert failed: size >= TEST_MAX_BUFFER_SIZE
istream concat random ................................................ : FAILED
test: random seed #1 was 1403118493
Timo Sirainen [Mon, 7 Jul 2014 13:21:08 +0000 (16:21 +0300)]
lib-index: Don't update log_file_tail_offset unnecessarily.
Update it only if we're already writing to transaction log anyway or if
we're required to update the offset because mail_index_sync_commit() has
increased it past non-external transactions (this is especially important
with mdbox map index).
Timo Sirainen [Mon, 7 Jul 2014 10:24:22 +0000 (13:24 +0300)]
lib-storage: Minor code cleanup to istream-mail.
eof=TRUE shouldn't be possible with ret=-2, so this just makes it clearer
what the code's intention is.
Timo Sirainen [Fri, 4 Jul 2014 12:33:12 +0000 (15:33 +0300)]
lib: istream-tee wasn't returning data correctly always.
This fixes an assert-crash in istream-tee.c. (Hopefully it was always
assert-crashing instead of returning corrupted data.)
Phil Carmody [Fri, 4 Jul 2014 11:48:44 +0000 (14:48 +0300)]
lib: failures - cosmetic write_full cleanup
Error message should have a trailing newline.
Use the POSIX macro for stderr's file number, rather than its numeric value.
Timo Sirainen [Fri, 4 Jul 2014 11:01:53 +0000 (14:01 +0300)]
lib-storage: Log mail istream read failures in one place.
Also handle ENOENT errors by checking if the mail has already been expunged,
and if so don't log an error, just return "mail is already expunged" error
to client.
Timo Sirainen [Fri, 4 Jul 2014 10:16:01 +0000 (13:16 +0300)]
lib-storage: If mail body reading failed, the error message may have contained only minimal errno string.
Even though the istream could have had a much better internal error message.
So show it.
Timo Sirainen [Thu, 3 Jul 2014 17:42:08 +0000 (20:42 +0300)]
acl: Create struct acl_mailbox also for shared root namespace mailboxes.
This fixes crashes where imap_acl code attempts to access ACLs for
nonexistent mailboxes inside shared root namespace. Alternatively the
imap_acl plugin could have checked the nonexistence of ACLs but this is
probably easier and more guaranteed to work.
Timo Sirainen [Thu, 3 Jul 2014 17:28:16 +0000 (20:28 +0300)]
lmtp: Removed code that attempts to deduplicate mail files by copying them between user mailboxes.
This sometimes started failing if the mail that was being used for copying
was deleted by the user. There's no good way for lmtp code to fix that
situation.
If deduplication is needed, it could be implemented in a more generic way
inside mailbox_copy() where after initial copy it would store the
destination struct mail to src_mail->last_copy_dest_mail. If another mail is
copied, the last_copy_dest_mail could be attempted to be used for the
copying and if that doesn't work it would fallback to regular copying. This
should probably be attempted only for lda/lmtp processes as it would just
cause extra overhead for others.
Phil Carmody [Thu, 3 Jul 2014 16:17:16 +0000 (19:17 +0300)]
openssl: optionally disable TLS compression
Make ssl compression optional, but enabled by default. Other ssl options
might be tweakable in the future, so have a single ssl_options string,
and explode it into individual flags. (Compare postfix configuration.)
Based on an idea by Andreas Schulze <sca@andreasschulze.de>
Timo Sirainen [Thu, 3 Jul 2014 16:12:02 +0000 (19:12 +0300)]
lib-storage: Added mail_namespace_is_shared_user_root() and used it where useful.
Most importantly this should fix a crash in ACL plugin where type=shared
namespace was used without any kind of per-user prefix/location (i.e. it
probably should have been a type=public namespace instead).
Timo Sirainen [Thu, 3 Jul 2014 14:44:32 +0000 (17:44 +0300)]
virtual: Never keep more than specified number of physical mailboxes open.
This should make virtual mailboxes work for users who have a a ton of
mailboxes with a ton of mails. Earlier code would likely have failed either
with "Too many open files" or crashed with "Out of memory".
You can change the max number of open mailboxes with:
Timo Sirainen [Thu, 3 Jul 2014 14:29:58 +0000 (17:29 +0300)]
lib-index: Index cache could have kept too many indexes open.
If a lot of indexes were allocated and then later on they were opened and
closed, the alloc-cache simply kept all the indexes open even after they
should have been closed.
Timo Sirainen [Thu, 3 Jul 2014 13:07:09 +0000 (16:07 +0300)]
lib: DLLIST*_REMOVE*() no longer breaks the linked list if we try to remove item that doesn't exist there.
Hopefully there wasn't any code that actually did this, but it's safer this
way anyway. Perhaps it could be even made to assert-crash if it happens.
Timo Sirainen [Thu, 3 Jul 2014 11:54:43 +0000 (14:54 +0300)]
virtual: Recent flags dropping wasn't working as intended.
In the old code '+' meant that \Recent flags were dropped also when the
virtual mailbox was EXAMINEd. SELECTing a mailbox always dropped \Recent
flags regardless of the '+' flag.
What should have happened (and does in new code) is that the \Recent flags
are dropped only on SELECT and only if '+' flag is set.
Phil Carmody [Thu, 3 Jul 2014 09:42:11 +0000 (12:42 +0300)]
lib-imap: test-imap-url - quieten successful sub-tests
Every sub-component of a URL doesn't need its own successful log, so use the
only-print-on-error test_out_quiet() function instead. All failures are just
as explicit as before.
Phil Carmody [Thu, 3 Jul 2014 09:42:11 +0000 (12:42 +0300)]
lib-test: test-common - add test_out_quiet() to reduce verbosity
Like test_out() but only prints anything if success is false.
This makes it quite much like test_assert(), except that it
doesn't print the code fragment, it prints a custom string.
However, it still counts as a test in the total count, unlike
test_assert*()s.
Timo Sirainen [Wed, 2 Jul 2014 17:36:49 +0000 (20:36 +0300)]
quota: Fixed quota_transaction_is_over() to handle "user is already over quota" case.
If size=0 we didn't return failure. This change also fixes various potential
integer overflows in the check. Added unit test for the function.
Timo Sirainen [Wed, 2 Jul 2014 17:13:35 +0000 (20:13 +0300)]
lib: Added UINT64_SUM_OVERFLOWS()
Maybe the unit tests are kind of unnecessary since the macro is so simple,
but at least it's now a well tested simple macro :)
Phil Carmody [Wed, 2 Jul 2014 15:21:24 +0000 (18:21 +0300)]
pop3: pop3-commands - harden integer parsers against integer overflow
In get_msgnum(), the invalid input "4772185884" (2^32*10/9) would be
parsed as being valid.
In get_size(), the invalid input "204963823041217240178" (2^64*10/9)
would be parsed as being valid.
Phil Carmody [Wed, 2 Jul 2014 15:21:24 +0000 (18:21 +0300)]
lib-http: test-http-url - add some tricky invalid numeric hostname URLs
Try to get the numeric octet parser to fail. The RFCs specify that we should
fall back onto parsing them as domain names instead, and hence the unexpected
legitimacy of out-of-range numbers.
NOTE: This causes make check to report the following error:
http url valid [11]: http_url_parse(http://127.0.0.284/this/also/reverts/to/DNS) : ok
test-http-url.c:328: Assert failed: urlp->have_host_ip == urlt->have_host_ip
http url valid [11] .................................................. : FAILED
Phil Carmody [Wed, 2 Jul 2014 15:21:24 +0000 (18:21 +0300)]
lib: uri-util - harden uri_parse_port against overflow
The invalid input 72817 (2^16*10/9) is parsed as a valid value.
7281 * 10 + 7 = 72817 == 7281 (mod 2^16), so the prev check fails.
Phil Carmody [Wed, 2 Jul 2014 15:21:24 +0000 (18:21 +0300)]
imap: harden read_uoff_t() against overflow
Invalid strings like "20496382304121724029" (2^64*10/9) can be parsed
as valid. Use the new helper.
Change in error behaviour - previously overflows, if they were detected,
caused *p to point to the digit causing the overflow. Now it's undefined.
Current clients don't care about this difference, they just bail.
Phil Carmody [Wed, 2 Jul 2014 15:21:24 +0000 (18:21 +0300)]
lib: strnum - add a permissive uoff_t parser
Functions like these are so cookie-cutter, we may as well use a macro.
Note that signed helpers, if they ever appear, will need more care.
Phil Carmody [Wed, 2 Jul 2014 15:21:24 +0000 (18:21 +0300)]
lib: test-strnum - tests for the new partial-string parser
We can simplify the main tests by always testing whether an appended
non-digit causes parsing to fail at the same time that we test it doesn't
fail with the new more permissive helpers.
Phil Carmody [Wed, 2 Jul 2014 15:21:24 +0000 (18:21 +0300)]
lib: strnum - add permissive partial-string integer parser
Not all strings we want to parse are already strtok'ed into separate pieces.
Therefore add helpers which will read the integer, and return a pointer
past the parsed integer.
The previous helpers can be considered a special case which just follows up
with a check that the '\0' has been reached.
Showing a preference for const pointers generally, this does not try to
mimic the non-const interface of strto{l,ul,ll,ull}().
Phil Carmody [Wed, 2 Jul 2014 15:21:24 +0000 (18:21 +0300)]
lib-imap: number parsing simplification and hardenning
The invalid string "4772185884" (2^32*10/9) will be misparsed as being valid.
In uint32_t's, 477218588 * 10 + 4 = 477218588
Many large ranges have this issue, 477218588x-858993459x, 954437176x-...
Do not perform operations which might wrap, and then try to detect the issue,
just compare with the known fixed bounds before doing the multiplication.
projects / thirdparty / dovecot / core.git / log
