1. 02 May, 2019 1 commit
  2. 30 Apr, 2019 2 commits
  3. 29 Apr, 2019 1 commit
  4. 25 Apr, 2019 1 commit
  5. 24 Apr, 2019 1 commit
    • Alexander Færøy's avatar
      Lower log level of unlink() errors in networkstatus_set_current_consensus(). · 04290724
      Alexander Færøy authored
      In this patch we lower the log level of the failures for the three calls
      to unlink() in networkstatus_set_current_consensus(). These errors might
      trigger on Windows because the memory mapped consensus file keeps the
      file in open state even after we have close()'d it. Windows will then
      error on the unlink() call with a "Permission denied" error.
      The consequences of ignoring these errors is that we leave an unused
      file around on the file-system, which is an easier way to fix this
      problem right now than refactoring networkstatus_set_current_consensus().
      See: https://bugs.torproject.org/29930
  6. 23 Apr, 2019 1 commit
  7. 19 Apr, 2019 13 commits
  8. 18 Apr, 2019 1 commit
  9. 17 Apr, 2019 2 commits
  10. 15 Apr, 2019 6 commits
  11. 12 Apr, 2019 2 commits
  12. 11 Apr, 2019 2 commits
  13. 10 Apr, 2019 5 commits
    • Nick Mathewson's avatar
      Bump version to · b2fc5742
      Nick Mathewson authored
    • Nick Mathewson's avatar
    • George Kadianakis's avatar
      Add changes file for #30040. · 2cdc6b20
      George Kadianakis authored
    • Tobias Stoeckmann's avatar
      Prevent double free on huge files with 32 bit. · 9ce0bdd2
      Tobias Stoeckmann authored
      The function compat_getdelim_ is used for tor_getline if tor is compiled
      on a system that lacks getline and getdelim. These systems should be
      very rare, considering that getdelim is POSIX.
      If this system is further a 32 bit architecture, it is possible to
      trigger a double free with huge files.
      If bufsiz has been already increased to 2 GB, the next chunk would
      be 4 GB in size, which wraps around to 0 due to 32 bit limitations.
      A realloc(*buf, 0) could be imagined as "free(*buf); return malloc(0);"
      which therefore could return NULL. The code in question considers
      that an error, but will keep the value of *buf pointing to already
      freed memory.
      The caller of tor_getline() would free the pointer again, therefore
      leading to a double free.
      This code can only be triggered in dirserv_read_measured_bandwidths
      with a huge measured bandwith list file on a system that actually
      allows to reach 2 GB of space through realloc.
      It is not possible to trigger this on Linux with glibc or other major
      *BSD systems even on unit tests, because these systems cannot reach
      so much memory due to memory fragmentation.
      This patch is effectively based on the penetration test report of
      cure53 for curl available at https://cure53.de/pentest-report_curl.pdf
      and explained under section "CRL-01-007 Double-free in aprintf() via
      unsafe size_t multiplication (Medium)".
    • teor's avatar
  14. 09 Apr, 2019 2 commits