Nick Mathewson [Thu, 24 Apr 2014 18:00:36 +0000 (14:00 -0400)]
Fwd-port: Add a missing changelog entry back from 0.2.4.11-alpha
When I merged the fix for #7351, and implemented proposal 214 (4-byte
circuit IDs), I forgot to add a changes file. Later, we never noticed
that it didn't have one.
Resolves ticket #11555. Thanks to cypherpunks for noticing this was
missing.
Nick Mathewson [Thu, 3 Apr 2014 16:06:44 +0000 (12:06 -0400)]
Change the logic for the default for MaxMemInQueues
If we can't detect the physical memory, the new default is 8 GB on
64-bit architectures, and 1 GB on 32-bit architectures.
If we *can* detect the physical memory, the new default is
CLAMP(256 MB, phys_mem * 0.75, MAX_DFLT)
where MAX_DFLT is 8 GB on 64-bit architectures and 2 GB on 32-bit
architectures.
You can still override the default by hand. The logic here is simply
trying to choose a lower default value on systems with less than 12 GB
of physical RAM.
Nick Mathewson [Sat, 19 Apr 2014 17:16:56 +0000 (13:16 -0400)]
scan-build: memarea_strndup() undefined behavior
The memarea_strndup() function would have hit undefined behavior by
creating an 'end' pointer off the end of a string if it had ever been
given an 'n' argument bigger than the length of the memory ares that
it's scanning. Fortunately, we never did that except in the unit
tests. But it's not a safe behavior to leave lying around.
Nick Mathewson [Sat, 19 Apr 2014 17:07:30 +0000 (13:07 -0400)]
scan-build: avoid undef behaior in tor_inet_pton
If we had an address of the form "1.2.3.4" and we tried to pass it to
tor_inet_pton with AF_INET6, it was possible for our 'eow' pointer to
briefly move backwards to the point before the start of the string,
before we moved it right back to the start of the string. C doesn't
allow that, and though we haven't yet hit a compiler that decided to
nuke us in response, it's best to fix.
So, be more explicit about requiring there to be a : before any IPv4
address part of the IPv6 address. We would have rejected addresses
without a : for not being IPv6 later on anyway.
Nick Mathewson [Sat, 19 Apr 2014 16:53:57 +0000 (12:53 -0400)]
scan-build: sizeof(ptr*) in a debugging log in ext_orport.c
Instead of taking the length of a buffer, we were taking the length of
a pointer, so that our debugging log would cover only the first
sizeof(void*) bytes of the client nonce.
Nick Mathewson [Sat, 19 Apr 2014 16:39:14 +0000 (12:39 -0400)]
scan-build: limit hashtable size so it always fits in SSIZE_MAX
scan-build recognizes that in theory there could be a numeric overflow
here.
This can't numeric overflow can't trigger IRL, since in order to fill a
hash table with more than P=402653189 buckets with a reasonable load
factor of 0.5, we'd first have P/2 malloced objects to put in it--- and
each of those would have to take take at least sizeof(void*) worth of
malloc overhead plus sizeof(void*) content, which would run you out of
address space anyway on a 32-bit system.
Nick Mathewson [Sat, 19 Apr 2014 01:24:16 +0000 (21:24 -0400)]
scan-build: bulletproof last-chance errormsg generation in rendservice.c
If 'intro' is NULL in these functions, I'm pretty sure that the
error message must be set before we hit the end. But scan-build
doesn't notice that, and is worried that we'll do a null-pointer
dereference in the last-chance errormsg generation.
Nick Mathewson [Sat, 19 Apr 2014 01:17:40 +0000 (21:17 -0400)]
scan-build: Have clear_pending_onions walk the lists more obviously
As it stands, it relies on the fact that onion_queue_entry_remove
will magically remove each onionskin from the right list. This
patch changes the logic to be more resilient to possible bugs in
onion_queue_entry_remove, and less confusing to static analysis tools.
Nick Mathewson [Sat, 19 Apr 2014 01:12:45 +0000 (21:12 -0400)]
scan-build: in cpuworker, initialize tv_start
scan-build doesn't realize that a request can't be timed at the end
unless it's timed at the start, and so it's not possible for us to
be subtracting start from end without start being set.
Nevertheless, let's not confuse it.
Nick Mathewson [Sat, 19 Apr 2014 00:41:40 +0000 (20:41 -0400)]
scan-build: get_proxy_addrport should always set its outputs
When get_proxy_addrport returned PROXY_NONE, it would leave
addr/port unset. This is inconsistent, and could (if we used the
function in a stupid way) lead to undefined behavior. Bugfix on 5b050a9b0, though I don't think it affects tor-as-it-is.
Nick Mathewson [Sat, 19 Apr 2014 00:40:34 +0000 (20:40 -0400)]
scan-build: when logging a path length, check build_state.
Throughout circuituse, when we log about a circuit, we log its
desired path length from build_state. scan-build is irrationally
concerned that build_state might be NULL.
Nick Mathewson [Sat, 19 Apr 2014 00:33:47 +0000 (20:33 -0400)]
scan-build: Be consistent with a needless check in circuitmux.c
In circuitmux_detach_all_circuits, we check whether an HT iterator
gives us NULL. That should be impossible for an HT iterator. But
our checking it has confused scan-build (justly) into thinking that
our later use of HT_NEXT_RMV might not be kosher. I'm taking the
coward's route here and strengthening the check. Bugfix on fd31dd44. (Not a real bug though)
Nick Mathewson [Sat, 19 Apr 2014 00:30:46 +0000 (20:30 -0400)]
scan-build: Avoid crashing on BUG in circuit_get_by_rend_token_and_purpose
If we fail in circuit_get_by_rend_token_and_purpose because the
circuit has no rend_info, don't try to reference fiends from its
rend_info when logging an error. Bugfix on 8b9a2cb68, which is
going into Tor 0.2.5.4-alpha.
Nick Mathewson [Fri, 18 Apr 2014 18:49:39 +0000 (14:49 -0400)]
Improved message when running sandbox on Linux without libseccomp
Previously we said "Sandbox is not implemented on this platform" on
Linux boxes without libseccomp. Now we say that you need to build
Tor built with libseccomp. Fixes bug 11543; bugfix on 0.2.5.1-alpha.
Nick Mathewson [Fri, 18 Apr 2014 16:50:04 +0000 (12:50 -0400)]
Switch to random allocation on circuitIDs.
Fixes a possible root cause of 11553 by only making 64 attempts at
most to pick a circuitID. Previously, we would test every possible
circuit ID until we found one or ran out.
This algorithm succeeds probabilistically. As the comment says:
This potentially causes us to give up early if our circuit ID
space is nearly full. If we have N circuit IDs in use, then we
will reject a new circuit with probability (N / max_range) ^
MAX_CIRCID_ATTEMPTS. This means that in practice, a few percent
of our circuit ID capacity will go unused.
The alternative here, though, is to do a linear search over the
whole circuit ID space every time we extend a circuit, which is
not so great either.
This makes new vs old clients distinguishable, so we should try to
batch it with other patches that do that, like 11438.
Nick Mathewson [Thu, 17 Apr 2014 14:23:18 +0000 (10:23 -0400)]
Elevate server TLS cipher preferences over client
The server cipher list is (thanks to #11513) chosen systematically to
put the best choices for Tor first. The client cipher list is chosen
to resemble a browser. So let's set SSL_OP_CIPHER_SERVER_PREFERENCE
to have the servers pick according to their own preference order.
dana koch [Mon, 10 Feb 2014 10:23:51 +0000 (21:23 +1100)]
Educate tor on OpenBSD's use of divert-to rules with the pf firewall.
This means that tor can run without needing to communicate with ioctls
to the firewall, and therefore doesn't need to run with privileges to
open the /dev/pf device node.
A new TransProxyType is added for this purpose, "pf-divert"; if the user
specifies this TransProxyType in their torrc, then the pf device node is
never opened and the connection destination is determined with getsockname
(as per pf(4)). The default behaviour (ie., when TransProxyType is "default"
when using the pf firewall) is still to assume that pf is configured with
rdr-to rules.
Nick Mathewson [Mon, 3 Feb 2014 19:09:07 +0000 (14:09 -0500)]
ipfw TransPort support on FreeBSD (10267)
This isn't on by default; to get it, you need to set "TransProxyType
ipfw". (The original patch had automatic detection for whether
/dev/pf is present and openable, but that seems marginally fragile.)
Nick Mathewson [Wed, 16 Apr 2014 19:17:23 +0000 (15:17 -0400)]
Use SCMP_CMP_MASKED_EQ to allow flags, not force them
Older versions of Libevent are happy to open SOCK_DGRAM sockets
non-cloexec and non-nonblocking, and then set those flags
afterwards. It's nice to be able to allow a flag to be on or off in
the sandbox without having to enumerate all its values.
Nick Mathewson [Wed, 16 Apr 2014 18:54:39 +0000 (14:54 -0400)]
Get Libevent's PRNG functioning under the linux sandbox
Libevent uses an arc4random implementation (I know, I know) to
generate DNS transaction IDs and capitalization. But it liked to
initialize it either with opening /dev/urandom (which won't work
under the sandbox if it doesn't use the right pointer), or with
sysctl({CTL_KERN,KERN_RANDOM,RANDOM_UUIC}). To make _that_ work, we
were permitting sysctl unconditionally. That's not such a great
idea.
Instead, we try to initialize the libevent PRNG _before_ installing
the sandbox, and make sysctl always fail with EPERM under the
sandbox.
Nick Mathewson [Wed, 16 Apr 2014 16:59:33 +0000 (12:59 -0400)]
Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
projects / thirdparty / tor.git / log
