Merge branch 'maint-0.2.2' into release-0.2.2

16 files changed, 76 insertions, 31 deletions

diff --git a/changes/bug3465-022 b/changes/bug3465-022
new file mode 100644
index 0000000000..2d226162aa
--- /dev/null
+++ b/changes/bug3465-022
@@ -0,0 +1,6 @@
+  o Minor bugfixes:
+
+    - Add BUILDTIMEOUT_SET to the list returned by the 'GETINFO
+      events/names' control-port command.  Bugfix on 0.2.2.9-alpha;
+      fixes part of bug 3465.
+
diff --git a/changes/cid_428 b/changes/cid_428
new file mode 100644
index 0000000000..cb0fc8c2b2
--- /dev/null
+++ b/changes/cid_428
@@ -0,0 +1,5 @@
+  o Minor bugfixes:
+    - Always NUL-terminate the sun_path field of a sockaddr_un before
+      passing it to the kernel. (Not a security issue: kernels are
+      smart enough to reject bad sockaddr_uns.) Found by Coverity; CID
+      # 428. Bugfix on Tor 0.2.0.3-alpha.
diff --git a/changes/cid_450 b/changes/cid_450
new file mode 100644
index 0000000000..2045fca239
--- /dev/null
+++ b/changes/cid_450
@@ -0,0 +1,5 @@
+  o Minor bugfixes:
+    - Don't stack-allocate the list of supplementary GIDs when we're
+      about to log them. Stack-allocating NGROUPS_MAX gid_t elements
+      could take up to 256K, which is way too much stack.  Found by
+      Coverity; CID #450. Bugfix on 0.2.1.7-alpha.
diff --git a/changes/memleak_rendcache b/changes/memleak_rendcache
new file mode 100644
index 0000000000..93b1f6141b
--- /dev/null
+++ b/changes/memleak_rendcache
@@ -0,0 +1,4 @@
+  o Minor bugfixes:
+    - Fix a memory leak when receiving a descriptor for a hidden
+      service we didn't ask for. Found by Coverity; CID#30. Bugfix on
+      0.2.2.26-beta.
diff --git a/doc/HACKING b/doc/HACKING
index 7ff9c5f3c2..feeb05d028 100644
--- a/doc/HACKING
+++ b/doc/HACKING
@@ -456,7 +456,6 @@ interesting and understandable.
 
    2.7) Run it through fmt to make it pretty.
 
-
 3) Compose a short release blurb to highlight the user-facing
 changes. Insert said release blurb into the ChangeLog stanza. If it's
 a stable release, add it to the ReleaseNotes file too. If we're adding
@@ -472,15 +471,19 @@ or somebody to try building it on Windows.
 6) Get at least two of weasel/arma/karsten to put the new version number
 in their approved versions list.
 
-7) Sign and push the tarball to the website in the dist/ directory. Sign
-and push the git tag.
-   (That's either "git tag -u <keyid> tor-0.2.x.y-status", then
-    "git push origin tag tor-0.2.x.y-status".  To sign the
-    tarball, "gpg -ba <the_tarball>".  Put the files in
-    /srv/www-master.torproject.org/htdocs/dist/ on vescum.)
+7) Sign the tarball, then sign and push the git tag:
+  gpg -ba <the_tarball>
+  git tag -u <keyid> tor-0.2.x.y-status
+  git push origin tag tor-0.2.x.y-status
+
+8) scp the tarball and its sig to the website in the dist/ directory
+(i.e. /srv/www-master.torproject.org/htdocs/dist/ on vescum). Edit
+include/versions.wmi to note the new version. From your website checkout,
+run ./publish to build and publish the website.
 
-8) Edit include/versions.wmi to note the new version. From your website
-checkout, run ./publish to build and publish the website.
+Try not to delay too much between scp'ing the tarball and running
+./publish -- the website has multiple A records and your scp only sent
+it to one of them.
 
 9) Email Erinn and weasel (cc'ing tor-assistants) that a new tarball
 is up. This step should probably change to mailing more packagers.
@@ -498,3 +501,4 @@ changelog to tor-talk or tor-announce.
 
   (We might be moving to faster announcements, but don't announce until
   the website is at least updated.)
+
diff --git a/src/common/compat.c b/src/common/compat.c
index 9377959eb4..80b4907b81 100644
--- a/src/common/compat.c
+++ b/src/common/compat.c
@@ -415,7 +415,7 @@ tor_vasprintf(char **strp, const char *fmt, va_list args)
  *
  * This function is <em>not</em> timing-safe.
  *
- * Requires that nlen be greater than zero.
+ * Requires that <b>nlen</b> be greater than zero.
  */
 const void *
 tor_memmem(const void *_haystack, size_t hlen,
@@ -1225,7 +1225,8 @@ log_credential_status(void)
   /* Read, effective and saved GIDs */
   gid_t rgid, egid, sgid;
   /* Supplementary groups */
-  gid_t sup_gids[NGROUPS_MAX + 1];
+  gid_t *sup_gids = NULL;
+  int sup_gids_size;
   /* Number of supplementary groups */
   int ngids;
 
@@ -1271,9 +1272,19 @@ log_credential_status(void)
 #endif
 
   /* log supplementary groups */
-  if ((ngids = getgroups(NGROUPS_MAX + 1, sup_gids)) < 0) {
+  sup_gids_size = 64;
+  sup_gids = tor_malloc(sizeof(gid_t) * 64);
+  while ((ngids = getgroups(sup_gids_size, sup_gids)) < 0 &&
+         errno == EINVAL &&
+         sup_gids_size < NGROUPS_MAX) {
+    sup_gids_size *= 2;
+    sup_gids = tor_realloc(sup_gids, sizeof(gid_t) * sup_gids_size);
+  }
+
+  if (ngids < 0) {
     log_warn(LD_GENERAL, "Error getting supplementary GIDs: %s",
              strerror(errno));
+    tor_free(sup_gids);
     return -1;
   } else {
     int i, retval = 0;
@@ -1303,6 +1314,7 @@ log_credential_status(void)
       tor_free(cp);
     });
     smartlist_free(elts);
+    tor_free(sup_gids);
 
     return retval;
   }
diff --git a/src/common/container.c b/src/common/container.c
index da44b7fe68..1515c387ad 100644
--- a/src/common/container.c
+++ b/src/common/container.c
@@ -338,7 +338,8 @@ smartlist_insert(smartlist_t *sl, int idx, void *val)
 
 /**
  * Split a string <b>str</b> along all occurrences of <b>sep</b>,
- * adding the split strings, in order, to <b>sl</b>.
+ * appending the (newly allocated) split strings, in order, to
+ * <b>sl</b>.  Return the number of strings added to <b>sl</b>.
  *
  * If <b>flags</b>&amp;SPLIT_SKIP_SPACE is true, remove initial and
  * trailing space from each entry.
@@ -347,7 +348,7 @@ smartlist_insert(smartlist_t *sl, int idx, void *val)
  * If <b>flags</b>&amp;SPLIT_STRIP_SPACE is true, strip spaces from each
  * split string.
  *
- * If max>0, divide the string into no more than <b>max</b> pieces. If
+ * If <b>max</b>\>0, divide the string into no more than <b>max</b> pieces. If
  * <b>sep</b> is NULL, split on any sequence of horizontal space.
  */
 int
diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c
index 6d7e71194e..1140f3314e 100644
--- a/src/or/circuitbuild.c
+++ b/src/or/circuitbuild.c
@@ -1501,7 +1501,7 @@ get_unique_circ_id_by_conn(or_connection_t *conn)
 }
 
 /** If <b>verbose</b> is false, allocate and return a comma-separated list of
- * the currently built elements of circuit_t.  If <b>verbose</b> is true, also
+ * the currently built elements of <b>circ</b>.  If <b>verbose</b> is true, also
  * list information about link status in a more verbose format using spaces.
  * If <b>verbose_names</b> is false, give nicknames for Named routers and hex
  * digests for others; if <b>verbose_names</b> is true, use $DIGEST=Name style
@@ -1590,7 +1590,7 @@ circuit_list_path_impl(origin_circuit_t *circ, int verbose, int verbose_names)
 }
 
 /** If <b>verbose</b> is false, allocate and return a comma-separated
- * list of the currently built elements of circuit_t.  If
+ * list of the currently built elements of <b>circ</b>.  If
  * <b>verbose</b> is true, also list information about link status in
  * a more verbose format using spaces.
  */
@@ -1601,7 +1601,7 @@ circuit_list_path(origin_circuit_t *circ, int verbose)
 }
 
 /** Allocate and return a comma-separated list of the currently built elements
- * of circuit_t, giving each as a verbose nickname.
+ * of <b>circ</b>, giving each as a verbose nickname.
  */
 char *
 circuit_list_path_for_controller(origin_circuit_t *circ)
@@ -1610,7 +1610,7 @@ circuit_list_path_for_controller(origin_circuit_t *circ)
 }
 
 /** Log, at severity <b>severity</b>, the nicknames of each router in
- * circ's cpath. Also log the length of the cpath, and the intended
+ * <b>circ</b>'s cpath. Also log the length of the cpath, and the intended
  * exit point.
  */
 void
@@ -1622,7 +1622,7 @@ circuit_log_path(int severity, unsigned int domain, origin_circuit_t *circ)
 }
 
 /** Tell the rep(utation)hist(ory) module about the status of the links
- * in circ.  Hops that have become OPEN are marked as successfully
+ * in <b>circ</b>.  Hops that have become OPEN are marked as successfully
  * extended; the _first_ hop that isn't open (if any) is marked as
  * unable to extend.
  */
diff --git a/src/or/circuitlist.c b/src/or/circuitlist.c
index 8534c38075..e9cc9eb1f4 100644
--- a/src/or/circuitlist.c
+++ b/src/or/circuitlist.c
@@ -866,7 +866,7 @@ circuit_unlink_all_from_or_conn(or_connection_t *conn, int reason)
 }
 
 /** Return a circ such that:
- *  - circ-\>rend_data-\>query is equal to <b>rend_query</b>, and
+ *  - circ-\>rend_data-\>onion_address is equal to <b>rend_query</b>, and
  *  - circ-\>purpose is equal to <b>purpose</b>.
  *
  * Return NULL if no such circuit exists.
diff --git a/src/or/connection.c b/src/or/connection.c
index a9e3a74ed6..c791309d68 100644
--- a/src/or/connection.c
+++ b/src/or/connection.c
@@ -811,7 +811,13 @@ create_unix_sockaddr(const char *listenaddress, char **readable_address,
 
   sockaddr = tor_malloc_zero(sizeof(struct sockaddr_un));
   sockaddr->sun_family = AF_UNIX;
-  strncpy(sockaddr->sun_path, listenaddress, sizeof(sockaddr->sun_path));
+  if (strlcpy(sockaddr->sun_path, listenaddress, sizeof(sockaddr->sun_path))
+      >= sizeof(sockaddr->sun_path)) {
+    log_warn(LD_CONFIG, "Unix socket path '%s' is too long to fit.",
+             escaped(listenaddress));
+    tor_free(sockaddr);
+    return NULL;
+  }
 
   if (readable_address)
     *readable_address = tor_strdup(listenaddress);
@@ -2751,15 +2757,15 @@ connection_outbuf_too_full(connection_t *conn)
   return (conn->outbuf_flushlen > 10*CELL_PAYLOAD_SIZE);
 }
 
-/** Try to flush more bytes onto conn-\>s.
+/** Try to flush more bytes onto <b>conn</b>-\>s.
  *
  * This function gets called either from conn_write() in main.c
  * when poll() has declared that conn wants to write, or below
  * from connection_write_to_buf() when an entire TLS record is ready.
  *
- * Update conn-\>timestamp_lastwritten to now, and call flush_buf
+ * Update <b>conn</b>-\>timestamp_lastwritten to now, and call flush_buf
  * or flush_buf_tls appropriately. If it succeeds and there are no more
- * more bytes on conn->outbuf, then call connection_finished_flushing
+ * more bytes on <b>conn</b>-\>outbuf, then call connection_finished_flushing
  * on it too.
  *
  * If <b>force</b>, then write as many bytes as possible, ignoring bandwidth
diff --git a/src/or/control.c b/src/or/control.c
index 82017bd1d4..da0a95da15 100644
--- a/src/or/control.c
+++ b/src/or/control.c
@@ -1380,7 +1380,8 @@ getinfo_helper_misc(control_connection_t *conn, const char *question,
     *answer = tor_strdup("CIRC STREAM ORCONN BW DEBUG INFO NOTICE WARN ERR "
                          "NEWDESC ADDRMAP AUTHDIR_NEWDESCS DESCCHANGED "
                          "NS STATUS_GENERAL STATUS_CLIENT STATUS_SERVER "
-                         "GUARD STREAM_BW CLIENTS_SEEN NEWCONSENSUS");
+                         "GUARD STREAM_BW CLIENTS_SEEN NEWCONSENSUS "
+                         "BUILDTIMEOUT_SET");
   } else if (!strcmp(question, "features/names")) {
     *answer = tor_strdup("VERBOSE_NAMES EXTENDED_EVENTS");
   } else if (!strcmp(question, "address")) {
diff --git a/src/or/dirserv.c b/src/or/dirserv.c
index d114d8654e..7df9a2fcaa 100644
--- a/src/or/dirserv.c
+++ b/src/or/dirserv.c
@@ -2415,7 +2415,7 @@ measured_bw_line_parse(measured_bw_line_t *out, const char *orig_line)
         tor_free(line);
         return -1;
       }
-      strncpy(out->node_hex, cp, sizeof(out->node_hex));
+      strlcpy(out->node_hex, cp, sizeof(out->node_hex));
       got_node_id=1;
     }
   } while ((cp = tor_strtok_r(NULL, " \t", &strtok_state)));
diff --git a/src/or/or.h b/src/or/or.h
index 97fecd1500..1909887bbd 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -2318,14 +2318,14 @@ typedef struct or_circuit_t {
   cell_ewma_t p_cell_ewma;
 } or_circuit_t;
 
-/** Convert a circuit subtype to a circuit_t.*/
+/** Convert a circuit subtype to a circuit_t. */
 #define TO_CIRCUIT(x)  (&((x)->_base))
 
-/** Convert a circuit_t* to a pointer to the enclosing or_circuit_t.  Asserts
+/** Convert a circuit_t* to a pointer to the enclosing or_circuit_t.  Assert
  * if the cast is impossible. */
 static or_circuit_t *TO_OR_CIRCUIT(circuit_t *);
 /** Convert a circuit_t* to a pointer to the enclosing origin_circuit_t.
- * Asserts if the cast is impossible. */
+ * Assert if the cast is impossible. */
 static origin_circuit_t *TO_ORIGIN_CIRCUIT(circuit_t *);
 
 static INLINE or_circuit_t *TO_OR_CIRCUIT(circuit_t *x)
diff --git a/src/or/rendcommon.c b/src/or/rendcommon.c
index 3b18bf6078..c5bf88163d 100644
--- a/src/or/rendcommon.c
+++ b/src/or/rendcommon.c
@@ -1041,6 +1041,7 @@ rend_cache_store(const char *desc, size_t desc_len, int published,
     log_warn(LD_REND, "Received service descriptor for service ID %s; "
              "expected descriptor for service ID %s.",
              query, safe_str(service_id));
+    rend_service_descriptor_free(parsed);
     return -2;
   }
   now = time(NULL);
diff --git a/src/test/Makefile.am b/src/test/Makefile.am
index 546fa2f4b7..904719d94b 100644
--- a/src/test/Makefile.am
+++ b/src/test/Makefile.am
@@ -8,7 +8,7 @@ AM_CPPFLAGS = -DSHARE_DATADIR="\"$(datadir)\"" \
 	-I"$(top_srcdir)/src/or"
 
 # -L flags need to go in LDFLAGS. -l flags need to go in LDADD.
-# This seems to matter nowhere but on windows, but I assure you that it
+# This seems to matter nowhere but on Windows, but I assure you that it
 # matters a lot there, and is quite hard to debug if you forget to do it.
 
 test_SOURCES = \
diff --git a/src/test/tinytest_demo.c b/src/test/tinytest_demo.c
index bd33cc37fa..4d2f588435 100644
--- a/src/test/tinytest_demo.c
+++ b/src/test/tinytest_demo.c
@@ -39,7 +39,7 @@
 /* ============================================================ */
 
 /* First, let's see if strcmp is working.  (All your test cases should be
- * functions declared to take a single void * as) an argument. */
+ * functions declared to take a single void * as an argument.) */
 void
 test_strcmp(void *data)
 {