Nick Mathewson [Mon, 13 Dec 2010 23:40:21 +0000 (18:40 -0500)]
Have all of our allocation functions and a few others check for underflow
It's all too easy in C to convert an unsigned value to a signed one,
which will (on all modern computers) give you a huge signed value. If
you have a size_t value of size greater than SSIZE_T_MAX, that is way
likelier to be an underflow than it is to be an actual request for
more than 2gb of memory in one go. (There's nothing in Tor that
should be trying to allocate >2gb chunks.)
Nick Mathewson [Mon, 6 Dec 2010 17:01:32 +0000 (12:01 -0500)]
Fix a bug in calculating wakeup time on 64-bit machines.
If you had TIME_MAX > INT_MAX, and your "time_to_exhaust_bw =
accountingmax/expected_bandwidth_usage * 60" calculation managed to
overflow INT_MAX, then your time_to_consider value could underflow and
wind up being rediculously low or high. "Low" was no problem;
negative values got caught by the (time_to_consider <= 0) check.
"High", however, would get you a wakeup time somewhere in the distant
future.
The fix is to check for time_to_exhaust_bw overflowing INT_MAX, not
TIME_MAX: We don't allow any accounting interval longer than a month,
so if time_to_exhaust_bw is significantly larger than 31*24*60*60, we
can just clip it.
This is a bugfix on 0.0.9pre6, when accounting was first introduced.
It fixes bug 2146, unless there are other causes there too. The fix
is from boboper. (I tweaked it slightly by removing an assignment
that boboper marked as dead, and lowering a variable that no longer
needed to be function-scoped.)
Nick Mathewson [Mon, 6 Dec 2010 16:36:01 +0000 (11:36 -0500)]
Add a missing ! to directory_fetches_from_authorities
The old logic would have us fetch from authorities if we were refusing
unknown exits and our exit policy was reject*. Instead, we want to
fetch from authorities if we're refusing unknown exits and our exit
policy is _NOT_ reject*.
Fixed by boboper. Fixes more of 2097. Bugfix on 0.2.2.16-alpha.
Nick Mathewson [Fri, 3 Dec 2010 18:37:13 +0000 (13:37 -0500)]
Don't crash when accountingmax is set in non-server Tors
We use a hash of the identity key to seed a prng to tell when an
accounting period should end. But thanks to the bug998 changes,
clients no longer have server-identity keys to use as a long-term seed
in accounting calculations. In any case, their identity keys (as used
in TLS) were never never fixed. So we can just set the wakeup time
from a random seed instead there. Still open is whether everybody
should be random.
This patch fixes bug 2235, which was introduced in 0.2.2.18-alpha.
Correct information about support for guards being called helper nodes.
The spec stated that support for the helper-nodes command would be removed
in 0.1.3.x, however support for this command is still in Tor. Updated the spec
to reflect this and added a node that the command is deprecated.
Correct grammars to reflect that VERBOSE_NAMES is part of the protocol.
Several updates to grammars for events and GETINFO results. All relate
to the fact that LongName has replaced ServerID since 0.2.2.1-alpha. See
documentation of VERBOSE_NAMES for more information. The following
grammars were changed:
* orconn-status GETINFO result
* entry-guards GETINFO result
* Path general token
* OR Connection status changed event
* New descriptors available event
In all cases a note was added about when the old grammar applies.
Several changes to the way tokens describing servers are documented.
(1) Made the wording of the comments consistant with token names.
Digest/Fingerprint and Name/Nickname were being used interchangeably.
Better to just use Fingerprint and Nickname becuase they are the names
of the tokens.
(2) Places the tokens currently in use before the tokens used in older
versions. ServerSpec should be documented before ServerID.
(3) Added a note to the comments about ServerID that cross reference
the VERBOSE_FEATURE, allowing users to see when and why ServerID was
replaced with LongName.
(1) On by default is a bad way to describe features. Rather, they
are always on and should be viewed as a part of the control
protocol. Updated the wording in USEFEATURE to reflect this.
(2) Made descriptions of Tor versions consistant across all
features. There is the version in which a feature was introduced and
the version in which it became part of the protocol.
(3) Reworded the description of the VERBOSE_NAMES feature. The
previous wording describes the way things used to be first. Better to
lead with the current state of things and then describe how it differs
from old versions.
Mashael AlSabah [Mon, 29 Nov 2010 20:34:21 +0000 (15:34 -0500)]
Improve fairness when activating streams in circuit_resume_edge_reading_helper
The reason the "streams problem" occurs is due to the complicated
interaction between Tor's congestion control and libevent. At some point
during the experiment, the circuit window is exhausted, which blocks all
edge streams. When a circuit level sendme is received at Exit, it
resumes edge reading by looping over linked list of edge streams, and
calling connection_start_reading() to inform libevent to resume reading.
When the streams are activated again, Tor gets the chance to service the
first three streams activated before the circuit window is exhausted
again, which causes all streams to be blocked again. As an experiment,
we reversed the order in which the streams are activated, and indeed the
first three streams, rather than the last three, got service, while the
others starved.
Our solution is to change the order in which streams are activated. We
choose a random edge connection from the linked list, and then we
activate streams starting from that chosen stream. When we reach the end
of the list, then we continue from the head of the list until our chosen
stream (treating the linked list as a circular linked list). It would
probably be better to actually remember which streams have received
service recently, but this way is simple and effective.
Nick Mathewson [Tue, 16 Nov 2010 00:38:19 +0000 (19:38 -0500)]
Clean up my 1776 fix a bit
Sebastian notes (and I think correctly) that one of our ||s should
have been an &&, which simplifies a boolean expression to decide
whether to replace bridges. I'm also refactoring out the negation at
the start of the expression, to make it more readable.
Sebastian Hahn [Mon, 4 Oct 2010 11:31:58 +0000 (13:31 +0200)]
Rate-limit unsafe socks warning
Pick 5 seconds as the limit. 5 seconds is a compromise here between
making sure the user notices that the bad behaviour is (still) happening
and not spamming their log too much needlessly (the log message is
pretty long). We also keep warning every time if safesocks is
specified, because then the user presumably wants to hear about every
blocked instance.
(This is based on the original patch by Sebastian, then backported to
0.2.2 and with warnings split into their own function.)
Karsten Loesing [Sat, 13 Nov 2010 21:25:19 +0000 (22:25 +0100)]
Try harder not to exceed the 50 KB extra-info descriptor limit.
Our checks that we don't exceed the 50 KB size limit of extra-info
descriptors apparently failed. This patch fixes these checks and reserves
another 250 bytes for appending the signature. Fixes bug 2183.
Robert Ransom [Fri, 12 Nov 2010 11:04:07 +0000 (03:04 -0800)]
Move the original log_info call out of the core of buf_shrink_freelists.
Sending a log message to a control port can cause Tor to allocate a buffer,
thereby changing the length of the freelist behind buf_shrink_freelists's back,
thereby causing an assertion to fail.
Robert Ransom [Fri, 12 Nov 2010 08:21:03 +0000 (00:21 -0800)]
Move the original log_info call out of the core of buf_shrink_freelists.
Sending a log message to a control port can cause Tor to allocate a buffer,
thereby changing the length of the freelist behind buf_shrink_freelists's back,
thereby causing an assertion to fail.
Nick Mathewson [Tue, 2 Nov 2010 15:49:58 +0000 (11:49 -0400)]
Enforce multiplicity rules when parsing annotations.
We would never actually enforce multiplicity rules when parsing
annotations, since the counts array never got entries added to it for
annotations in the token list that got added by earlier calls to
tokenize_string.
Sebastian Hahn [Fri, 29 Oct 2010 17:41:24 +0000 (19:41 +0200)]
Synx manpage and source wrt option capitalization
We had a spelling discrepancy between the manpage and the source code
for some option. Resolve these in favor of the manpage, because it
makes more sense (for example, HTTP should be capitalized).
Sebastian Hahn [Fri, 29 Oct 2010 22:03:31 +0000 (00:03 +0200)]
Comment out the (unused) RunTesting option
The code that makes use of the RunTesting option is #if 0, so setting
this option has no effect. Mark the option as obsolete for now, so that
Tor doesn't list it as an available option erroneously.
Sebastian Hahn [Mon, 11 Oct 2010 16:47:14 +0000 (18:47 +0200)]
Remove everything related to os x expert package
We decided to no longer ship expert packages for OS X because they're a
lot of trouble to keep maintained and confuse users. For those who want
a tor on OS X without Vidalia, macports is a fine option. Alternatively,
building from source is easy, too.
The polipo stuff that is still required for the Vidalia bundle build can
now be found in the torbrowser repository,
git://git.torproject.org/torbrowser.git.
Nick Mathewson [Tue, 2 Nov 2010 15:20:09 +0000 (11:20 -0400)]
Fix the assert in bug 1776
In the case where old_router == NULL but sdmap has an entry for the
router, we can currently safely infer that the old_router was not a
bridge. Add an assert to ensure that this remains true, and fix the
logic not to die with the tor_assert(old_router) call.
Sebastian Hahn [Tue, 26 Oct 2010 16:22:04 +0000 (18:22 +0200)]
Properly refcount client_identity_key
In a2bb0bf we started using a separate client identity key. When we are
in "public server mode" (that means not a bridge) we will use the same
key. Reusing the key without doing the proper refcounting leads to a
segfault on cleanup during shutdown. Fix that.
Also introduce an assert that triggers if our refcount falls below 0.
That should never happen.
projects / thirdparty / tor.git / log
