Closes #31673

Tobias Stoeckmann authored Jun 24, 2019 and Nick Mathewson committed Jul 19, 2019

Overflowing a signed integer in C is an undefined behaviour.
It is possible to trigger this undefined behaviour in tor_asprintf on
Windows or systems lacking vasprintf.

On these systems, eiter _vscprintf or vsnprintf is called to retrieve
the required amount of bytes to hold the string. These functions can
return INT_MAX. The easiest way to recreate this is the use of a
specially crafted configuration file, e.g. containing the line:

FirewallPorts AAAAA<in total 2147483610 As>

This line triggers the needed tor_asprintf call which eventually
leads to an INT_MAX return value from _vscprintf or vsnprintf.

The needed byte for \0 is added to the result, triggering the
overflow and therefore the undefined behaviour.

Casting the value to size_t before addition fixes the behaviour.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

Tobias Stoeckmann authored May 29, 2019 and Nick Mathewson committed May 29, 2019

If tor is compiled on a system with neither vasprintf nor _vscprintf,
the fallback implementation exposes a logic flaw which prevents
proper usage of strings longer than 127 characters:

* tor_vsnprintf returns -1 if supplied buffer is not large enough,
  but tor_vasprintf uses this function to retrieve required length
* the result of tor_vsnprintf is not properly checked for negative
  return values

Both aspects together could in theory lead to exposure of uninitialized
stack memory in the resulting string. This requires an invalid format
string or data that exceeds integer limitations.

Fortunately tor is not even able to run with this implementation because
it runs into asserts early on during startup. Also the unit tests fail
during a "make check" run.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

  [backported to 0.2.9 by nickm]

Correctly identify Windows 8.1, Windows 10, and Windows Server 2008
and later from their NT versions.

On recent Windows versions, the GetVersionEx() function may report
an earlier Windows version than the running OS. To avoid user
confusion, add "[or later]" to Tor's version string on affected
versions of Windows.

Remove Windows versions that were never supported by the
GetVersionEx() function.

Stop duplicating the latest Windows version in get_uname().

Fixes bug 28096; bugfix on 0.2.2.34; reported by Keifer Bly.

Fixes bug 21074; bugfix on 46892432 in 0.0.9rc5 when we
started doing setrlimit() in the first place.

teor authored Jul 03, 2017 and Nick Mathewson committed Jul 05, 2017

When setting the maximum number of connections allowed by the OS,
always allow some extra file descriptors for other files.

Fixes bug 22797; bugfix on 0.2.0.10-alpha.

Fixes bug 22789; bugfix on 0.2.3.8-alpha.

It's not okay to use the same varargs list twice, and apparently
some windows build environments produce code here that would leave
tor_asprintf() broken. Fix for bug 20560; bugfix on 0.2.2.11-alpha
when tor_asprintf() was introduced.

Previously we said we did, but didn't.

Fixes #19968; bugfix on 0.2.3.1-alpha.

These seem to have caused warnings on windows. Hmmm.

The functions it warns about are:
  assert, memcmp, strcat, strcpy, sprintf, malloc, free, realloc,
  strdup, strndup, calloc.

Also, fix a few lingering instances of these in the code. Use other
conventions to indicate _intended_ use of assert and
malloc/realloc/etc.

These appeared on some of the Jenkins platforms. Apparently some
GCCs care when you shadow globals, and some don't.

I'm not moving our "format and parse the time" functions, since
those have been pretty volatile over the last couple of years.

Yes, HURD lacks PATH_MAX.  But we already limited the maximum buffer
to 4096, so why not just use that?

cypherpunks authored Jun 17, 2016 and Nick Mathewson committed Jun 17, 2016

The Autoconf macro AC_USE_SYSTEM_EXTENSIONS defines preprocessor macros
which turn on extensions to C and POSIX. The macro also makes it easier
for developers to use the extensions without needing (or forgetting) to
define them manually.

The macro can be safely used because it was introduced in Autoconf 2.60
and Tor requires Autoconf 2.63 and above.

I audited this to make sure I was only marking ones that really
should be unreachable.

So, back long ago, XXX012 meant, "before Tor 0.1.2 is released, we
had better revisit this comment and fix it!"

But we have a huge pile of such comments accumulated for a large
number of released versions!  Not cool.

So, here's what I tried to do:

  * 0.2.9 and 0.2.8 are retained, since those are not yet released.

  * XXX+ or XXX++ or XXX++++ or whatever means, "This one looks
    quite important!"

  * The others, after one-by-one examination, are downgraded to
    plain old XXX.  Which doesn't mean they aren't a problem -- just
    that they cannot possibly be a release-blocking problem.

The tm_wday field had been left uninitialized, which was causing
some assertions to fail on Windows unit tests.

Fixes bug 18977.

Avoid using a pronoun where it makes comments unclear.
Avoid using gender for things that don't have it.
Avoid assigning gender to people unnecessarily.

cypherpunks authored Dec 16, 2015 and Nick Mathewson committed Dec 17, 2015

The user parameter is not checked so we do not know the user has been
specified.

* The option is now KeepBindCapabilities
* We now warn if the user specifically asked for KeepBindCapabilities
  and we can't deliver.
* The unit tests are willing to start.
* Fewer unused-variable warnings.
* More documentation, fewer misspellings.

This feature allows us to bind low ports when starting as root and
switching UIDs.

Based on code by David Goulet.

Implement feature 8195

cypherpunks authored Dec 10, 2015 and Nick Mathewson committed Dec 15, 2015

This patch was generated using;

  sed -i -e "s/\bINLINE\b/inline/" src/*/*.[ch] src/*/*/*.[ch]

src/common/compat.c:tor_vasprintf() - vsnprintf() was properly checked but tor_vsnprintf() available so why not use it?

src/common/compat.c:tor_vasprintf() - changed vsnprintf() to tor_vsnprintf() which ensures string is null terminated.

(But it won't work on some systems without IPv4/IPv6 localhost
(some BSD jails) by design, to avoid creating sockets on routable
IP addresses. However, those systems likely have the AF_UNIX socketpair,
which tor prefers.)

Fixes bug #17638; bugfix on a very early tor version,
earlier than 22dba27d (23 Nov 2004) / svn:r2943.

Patch by "teor".