Simon McVittie [Wed, 1 Jul 2020 15:01:38 +0000 (16:01 +0100)]
tests: On Unix, include <netinet/in.h> for IPPROTO_TCP
Otherwise, dbus doesn't compile on FreeBSD if the GLib-based tests
are enabled (which suggests that no FreeBSD user has run those tests
successfully).
We already include <netinet/in.h> in other places with no conditions
or checks other than "is Unix", so apparently it's portable enough that
specifically testing for its presence is not necessary. POSIX requires it
to exist.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Previously, the hash table indexed by uid (or gid) took ownership of the
single reference to the heap-allocated struct, and the hash table
indexed by username (or group name) had a borrowed pointer to the same
struct that exists in the other hash table.
However, this can break down if you have two or more distinct usernames
that share a numeric identifier. This is generally a bad idea, because
the user-space model in such situations does not match the kernel-space
reality, and in particular there is no effective kernel-level security
boundary between such users, but it is sometimes done anyway.
In this case, when the second username is looked up in the userdb, it
overwrites (replaces) the entry in the hash table that is indexed by
uid, freeing the DBusUserInfo. This results in both the key and the
value in the hash table that is indexed by username becoming dangling
pointers (use-after-free), leading to undefined behaviour, which is
certainly not what we want to see when doing access control.
An equivalent situation can occur with groups, in the rare case where
a numeric group ID has two names (although I have not heard of this
being done in practice).
Solve this by reference-counting the data structure. There are up to
three references in practice: one held temporarily while the lookup
function is populating and storing it, one held by the hash table that
is indexed by uid, and one held by the hash table that is indexed by
name.
Closes: dbus#305 Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Tue, 30 Jun 2020 18:13:17 +0000 (19:13 +0100)]
userdb: Make lookups return a const pointer
This makes it more obvious that the returned pointer points to a
struct owned by the userdb, which must not be freed or have its
contents modified, and is only valid to dereference until the next
modification to the userdb's underlying hash tables (which in practice
means until the lock is released, because after that we have no
guarantees about what might be going on in another thread).
Signed-off-by: Simon McVittie <smcv@collabora.com>
Ralf Habacker [Mon, 18 May 2020 10:47:51 +0000 (12:47 +0200)]
cmake: add support for user session semantic on Linux operating systems
Systemd user support is controlled by the cmake variable ENABLE_USER_SESSION,
which and WITH_SYSTEMD_USERUNITDIR to specify a custom installation
location. If WITH_SYSTEMD_USERUNITDIR is not specified, the related install
path is determined from an installed systemd package, if present.
This was added to the Autotools build system as part of fd.o#61301,
but until now was not possible to enable when building with CMake.
Ralf Habacker [Mon, 18 May 2020 10:44:37 +0000 (12:44 +0200)]
cmake: Add support for systemd integration on Linux operating systems
Previously, only the Autotools build system could do this. This commit
includes most of the same features as in the Autotools build, although
not the user-session semantics, which will be added separately.
Systemd support is controlled by the cmake variable ENABLE_SYSTEMD, which can
have the values OFF, ON and AUTO, the latter enabling support by default if
the required libraries are available.
With WITH_SYSTEMD_SYSTEMUNITDIR a custom installation location can be specified.
If it is not specified, the related install path is determined from the installed
systemd package, if present.
cmake: Use CMAKE_INSTALL_FULL_<dir> for configuration and state
This means we apply GNUInstallDirs' various special cases when
the prefix is /, /usr or something starting with /opt; these are
not applied when installing to CMAKE_INSTALL_<dir>. See
https://cmake.org/cmake/help/latest/module/GNUInstallDirs.html#special-cases
Simon McVittie [Wed, 10 Jun 2020 08:47:15 +0000 (09:47 +0100)]
Normalize C source files to end with exactly one newline
Some editors automatically remove trailing blank lines, or
automatically add a trailing newline to avoid having a trailing
non-blank line that is not terminated by a newline. To avoid unrelated
whitespace changes when users of such editors contribute to dbus,
let's pre-emptively normalize all files.
Unlike more intrusive whitespace normalization like removing trailing
whitespace from each line, this seems unlikely to cause significant
issues with cherry-picking changes to stable branches.
Simon McVittie [Thu, 16 Apr 2020 13:45:11 +0000 (14:45 +0100)]
sysdeps-unix: On MSG_CTRUNC, close the fds we did receive
MSG_CTRUNC indicates that we have received fewer fds that we should
have done because the buffer was too small, but we were treating it
as though it indicated that we received *no* fds. If we received any,
we still have to make sure we close them, otherwise they will be leaked.
On the system bus, if an attacker can induce us to leak fds in this
way, that's a local denial of service via resource exhaustion.
Ralf Habacker [Tue, 5 Feb 2019 13:46:51 +0000 (14:46 +0100)]
cmake: Let Wine display the correct file name and line numbers for backtraces
Wine currently only supports the symbol formats STABS and DWARF 2,
but not the other versions, with STABS providing the most information
and being the first choice.
Since we already use the cmake variable DBUS_USE_WINE for running tests
under Wine, we also use it to activate the special symbol format.
Add support to generate the api documentation in Qt help format
Qt help files are used by Qt Creator and KDevelop, for example, to support
the development of Qt-based applications and libraries.
Generating api documentation in Qt help format is controlled by two
user specific options named --enable-qt-help and --with-qchdir (autotools)
and -DENABLE_QT_HELP and -DINSTALL_QCH_DIR (cmake).
cmake: remove component 'dev' as we never used that consistently
Marking targets with a component would only be useful if we
marked every target with a component in a consistent way,
but because we don't do that, it's pointless to have it
in just a few places.
Fix bug not detecting out of memory condition in _dbus_poll_events ()
For cleaning purpose the event list members are initialized with
WSA_INVALID_EVENT. The cleanup code detects and handles the
case that the event list has been created from calloc ().
Separate the event based implementation for _dbus_poll() from the fd based one
The function _dbus_poll() has been split into two functions,
_dbus_poll_events() and _dbus_poll_select(), each containing the
corresponding implementation.
_dbus_poll() now calls the corresponding function.
Some of the command-lines that we print as diagnostics contain newlines,
which will cause warnings or errors under a strict TAP parser (and one of
them wasn't correctly prefixed with '#' anyway). TAP parsers only parse
stdout, not stderr, so we can use stderr for these diagnostic messages.
[smcv: Expand commit message]
Signed-off-by: Simon McVittie <smcv@collabora.com>
Otherwise, Coverity will diagnose this as a resource leak,
because it doesn't understand that our assertions end up guaranteeing
that the result is freed if and only if it's non-`NULL`.
Simon McVittie [Thu, 16 Apr 2020 13:18:49 +0000 (14:18 +0100)]
test: Enable more tests when embedded tests are disabled
These previously relied on embedding test-specific code in libdbus,
but they actually only need public APIs, private interfaces that get
exported anyway for the benefit of dbus-daemon, and the TAP helpers;
so we can run them even in production builds.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Mon, 6 Apr 2020 13:48:11 +0000 (14:48 +0100)]
CI: Build on Debian 10 'buster' by default
Previously, we built on Debian 9 'stretch' by default, and on
Debian 10 'buster' only on request. Let's reverse that so that we get
more modern toolchains, before Debian 9 'stretch' reaches EOL.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Wed, 11 Mar 2020 13:14:45 +0000 (13:14 +0000)]
sysdeps-win: Refactor cleanup of struct addrinfo during connect()
As suggested on !143. Instead of remembering to free it in every error
condition, let's move its cleanup to the "out" phase so that it's done
every time.
Change the iterator variable tmp to be const so that it's obvious we
aren't meant to free that too.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Wed, 11 Mar 2020 13:12:22 +0000 (13:12 +0000)]
sysdeps-unix: Don't leak struct addrinfo on OOM during connect()
If we ran out of memory while handling connect() errors, we didn't
free the linked list of struct addrinfo. Move their cleanup to the
"out" phase of the function so that we always do it.
While I'm there, change the iterator variable tmp to be const, to make
it more obvious that we aren't meant to free it.
This is similar to commit 00badeba (!143) in the corresponding Windows
code path, but with some refactoring.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Ralf Habacker [Tue, 10 Mar 2020 21:59:19 +0000 (22:59 +0100)]
Fix missing release of the memory allocated in _dbus_connect_tcp_socket_with_nonce() in OOM case
If there is no more memory available within the mentiond function, e.g.,
when checking memory management, the release of memory allocated by
getaddrinfo() is missing.
Each connection that is an active monitor holds a pointer to its own
link in this list, via BusConnectionData.link_in_monitors. We can't
validly free the list while these pointers exist: that would be a
use-after-free, when each connection gets disconnected and tries to
remove itself from the list.
Instead, let each connection remove itself from the list, then assert
that the list has become empty.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Resolves: https://gitlab.freedesktop.org/dbus/dbus/issues/291
Ralf Habacker [Thu, 20 Feb 2020 08:50:00 +0000 (08:50 +0000)]
In _dbus_verbose_real() avoid possible stack overflows on output to the Windows debug port
Instead of creating a fixed memory area on the stack that can lead to
a stack overflow if exceeded, this configuration now uses a DBusString
instance that dynamically manages memory.
Ralf Habacker [Thu, 12 Dec 2019 08:34:58 +0000 (09:34 +0100)]
Add a trivial sanity-check for the atomic primitives
This doesn't verify that they're atomic, but does verify that they
return the right things.
This commit adds a new test function _dbus_test_check (a) to make
writing tests easier. It checks the given boolean expression and
generates a "not ok" test result if the expression is false.
Due to the current design of the test api, the test is only compiled
if embedded tests were enabled at the time of configuration.
It was also necessary to move the test_atomic target definitions in
test/Makefile.am to the --enable-embedded-tests section to avoid a
make distcheck build error.
The test case itself has been authored by smcv.
Co-authored-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Fri, 6 Dec 2019 01:54:18 +0000 (02:54 +0100)]
_dbus_modify_sigpipe: be thread-safe
This needs new atomic primitives: we don't have "set to a value",
and in fact that's a bit annoying to implement in terms of gcc
intrinsics. "Set to 0" and "set to nonzero" are easy, though.
projects / thirdparty / dbus.git / log
