Check number of usable guards when applying md restrictions.
We used to check whether we have enough filtered guards (guard set when
torrc is applied) but that's not good enough, since that might be bad in
some cases where many guards are not reachable (might cause overblocking
and hence reacahbility issues).
We now check if we have enough reachable filtered guards before applying
md restrictions which should prevent overblocking.
Nick Mathewson [Mon, 20 Nov 2017 16:02:40 +0000 (11:02 -0500)]
Correctly handle partial success in consensus diff calculation.
Previously, if store_multiple() reported a partial success, we would
store all the handles it gave us as if they had succeeded. But it's
possible for the diff to be only partially successful -- for
example, if LZMA failed but the other compressors succeeded.
Nick Mathewson [Mon, 20 Nov 2017 15:14:41 +0000 (10:14 -0500)]
Recover better from empty/invalid storagedir files
If we can't read a file because of an FS issue, we say "we can't
read that" and move on. But if we can't read it because it's empty,
because it has no labels, or because its labels are misformatted, we
should remove it.
David Goulet [Tue, 14 Nov 2017 14:01:21 +0000 (09:01 -0500)]
circuit: Don't timeout opened C_INTRODUCING circuit
A circuit with purpose C_INTRODUCING means that its state is opened but the
INTRODUCE1 cell hasn't been sent yet. We shouldn't consider that circuit when
looking for timing out "building circuit". We have to wait on the rendezvous
circuit to be opened before sending that cell so the intro circuit needs to be
kept alive for at least that period of time.
This patch makes that the purpose C_INTRODUCING is ignored in the
circuit_expire_building() which means that we let the circuit idle timeout
take care of it if we end up never using it.
Fixes #23681
Signed-off-by: David Goulet <dgoulet@torproject.org>
Nick Mathewson [Sat, 18 Nov 2017 15:26:45 +0000 (10:26 -0500)]
Add an extra check in test_entrynodes
This check makes it so we can reach "done" without setting "conn",
and so the "if (conn)" check will not be redundant, and so coverity
won't complain. Fixes CID 1422205. Not actually a bug.
Nick Mathewson [Thu, 16 Nov 2017 18:53:48 +0000 (13:53 -0500)]
Make our seccomp2 sandbox handle Glibc 2.26
There are three changes here:
* We need to allow epoll_pwait.
* We need to allow PF_NETLINK sockets to be opened with SOCK_CLOEXEC.
* We need to use openat() instead of open().
Note that this fix is not complete, since the openat() change is
turned off. The next commit will make the openat() change happen
when we're running glibc 2.26 or later.
Nick Mathewson [Thu, 16 Nov 2017 16:45:15 +0000 (11:45 -0500)]
Fix a traceback when closing a blocked connection "immediately".
When we close a connection via connection_close_immediately, we kill
its events immediately. But if it had been blocked on bandwidth
read/write, we could try to re-add its (nonexistent) events later
from connection_bucket_refill -- if we got to that callback before
we swept the marked connections.
Fixes bug 24167. Fortunately, this hasn't been a crash bug since we
introduced connection_check_event in 0.2.9.10, and backported it.
This is a bugfix on commit 89d422914a0c3cb, I believe, which
appeared in Tor 0.1.0.1-rc.
David Goulet [Thu, 16 Nov 2017 15:51:41 +0000 (10:51 -0500)]
relay: Avoid extra LOG_NOTICE for every new descriptor batch
Commit 56c5e282a733912776f6dacbe4f5df66b4fb9606 suppressed that same log
statement in directory_info_has_arrived() for microdescriptors so do the same
for the descriptors. As the commit says, we already have the bootstrap
progress for this.
Fixes #23861
Signed-off-by: David Goulet <dgoulet@torproject.org>
Nick Mathewson [Thu, 16 Nov 2017 14:30:19 +0000 (09:30 -0500)]
Downgrade evdns warnings about weird replies.
evdns is allowed to give us unrecognized object types; it is allowed
to give us non-IPv4 answer types, and it is (even) allowed to give
us empty answers without an error.
Silence a warning about failed descriptor uploads.
Due to #23662 this can happen under natural causes and does not disturb
the functionality of the service. This is a simple 0.3.2 fix for now,
and we plan to fix this properly in 0.3.3.
David Goulet [Wed, 8 Nov 2017 19:36:04 +0000 (14:36 -0500)]
dirauth: Recalculate voting schedule at first vote
Commit e67f4441eb2646368e3e7cb1bcee403667b786f0 introduced a safeguard against
using an uninitialized voting schedule object. However, the dirvote_act() code
was looking roughly at the same thing to know if it had to compute the timings
before voting with this condition:
if (!voting_schedule.voting_starts) {
...
dirvote_recalculate_timing(options, now);
}
The sr_init() function is called very early and goes through the safeguard
thus the voting schedule is always initilized before the first vote.
That first vote is a crucial one because we need to have our voting schedule
aligned to the "now" time we are about to use for voting. Then, the schedule
is updated when we publish our consensus or/and when we set a new consensus.
From that point on, we only want to update the voting schedule through that
code flow.
This "created_on_demand" is indicating that the timings have been recalculated
on demand by another subsystem so if it is flagged, we know that we need to
ignore its values before voting.
Fixes #24186
Signed-off-by: David Goulet <dgoulet@torproject.org>
projects / thirdparty / tor.git / log
