diff options
| -rw-r--r-- | changes/bug30561 | 6 | ||||
| -rw-r--r-- | changes/bug30614 | 4 | ||||
| -rw-r--r-- | changes/bug30629 | 6 | ||||
| -rw-r--r-- | changes/bug30646 | 4 | ||||
| -rw-r--r-- | src/app/main/shutdown.c | 3 | ||||
| -rw-r--r-- | src/feature/control/control_cmd.c | 1 | ||||
| -rw-r--r-- | src/lib/malloc/map_anon.c | 4 | ||||
| -rw-r--r-- | src/lib/string/printf.c | 16 |
8 files changed, 39 insertions, 5 deletions
diff --git a/changes/bug30561 b/changes/bug30561 new file mode 100644 index 0000000000..afb3f02c62 --- /dev/null +++ b/changes/bug30561 @@ -0,0 +1,6 @@ + o Minor bugfixes (portability): + - Avoid crashing in our tor_vasprintf() implementation on systems that + define neither vasprintf() nor _vscprintf(). (This bug has been here + long enough that we question whether people are running Tor on such + systems, but we're applying the fix out of caution.) Fixes bug 30561; + bugfix on 0.2.8.2-alpha. Found and fixed by Tobias Stoeckmann. diff --git a/changes/bug30614 b/changes/bug30614 new file mode 100644 index 0000000000..9f904bd115 --- /dev/null +++ b/changes/bug30614 @@ -0,0 +1,4 @@ + o Minor bugfixes (NetBSD): + - Fix usage of minherit() on NetBSD and other platforms that define + MAP_INHERIT_{ZERO,NONE} instead of INHERIT_{ZERO,NONE}. Fixes bug + 30614; bugfix on 0.4.0.2-alpha. Patch from Taylor Campbell. diff --git a/changes/bug30629 b/changes/bug30629 new file mode 100644 index 0000000000..59fa96ee68 --- /dev/null +++ b/changes/bug30629 @@ -0,0 +1,6 @@ + o Minor bugfixes (shutdown, libevent, memory safety): + - Avoid use-after-free bugs when shutting down, by making sure that we + shut down libevent only after shutting down all of its users. We + believe these are harmless in practice, since they only occur on the + shutdown path, and do not involve any attacker-controlled data. Fixes + bug 30629; bugfix on 0.4.1.1-alpha. diff --git a/changes/bug30646 b/changes/bug30646 new file mode 100644 index 0000000000..e95a54e3ef --- /dev/null +++ b/changes/bug30646 @@ -0,0 +1,4 @@ + o Minor bugfixes (controller): + - Repair the HSFETCH command so that it works again. Previously, it + expected a body when it shouldn't have. Fixes bug 30646; bugfix on + 0.4.1.1-alpha. diff --git a/src/app/main/shutdown.c b/src/app/main/shutdown.c index e4dcaa1324..cc0091a9ab 100644 --- a/src/app/main/shutdown.c +++ b/src/app/main/shutdown.c @@ -157,10 +157,11 @@ tor_free_all(int postfork) if (!postfork) { release_lockfile(); } - tor_libevent_free_all(); subsystems_shutdown(); + tor_libevent_free_all(); + /* Stuff in util.c and address.c*/ if (!postfork) { esc_router_info(NULL); diff --git a/src/feature/control/control_cmd.c b/src/feature/control/control_cmd.c index 17d5b0c7f3..abb579bd43 100644 --- a/src/feature/control/control_cmd.c +++ b/src/feature/control/control_cmd.c @@ -1385,7 +1385,6 @@ static const control_cmd_syntax_t hsfetch_syntax = { .min_args = 1, .max_args = 1, .accept_keywords = true, .allowed_keywords = hsfetch_keywords, - .want_cmddata = true, }; /** Implementation for the HSFETCH command. */ diff --git a/src/lib/malloc/map_anon.c b/src/lib/malloc/map_anon.c index f4fda00bff..e2c41ab9c3 100644 --- a/src/lib/malloc/map_anon.c +++ b/src/lib/malloc/map_anon.c @@ -50,11 +50,15 @@ #ifdef INHERIT_ZERO #define FLAG_ZERO INHERIT_ZERO +#elif defined(MAP_INHERIT_ZERO) +#define FLAG_ZERO MAP_INHERIT_ZERO #endif #ifdef INHERIT_NONE #define FLAG_NOINHERIT INHERIT_NONE #elif defined(VM_INHERIT_NONE) #define FLAG_NOINHERIT VM_INHERIT_NONE +#elif defined(MAP_INHERIT_NONE) +#define FLAG_NOINHERIT MAP_INHERIT_NONE #endif #elif defined(HAVE_MADVISE) diff --git a/src/lib/string/printf.c b/src/lib/string/printf.c index 415d4ac4a7..a5cb71ce09 100644 --- a/src/lib/string/printf.c +++ b/src/lib/string/printf.c @@ -131,14 +131,24 @@ tor_vasprintf(char **strp, const char *fmt, va_list args) * characters we need. We give it a try on a short buffer first, since * it might be nice to avoid the second vsnprintf call. */ + /* XXXX This code spent a number of years broken (see bug 30651). It is + * possible that no Tor users actually run on systems without vasprintf() or + * _vscprintf(). If so, we should consider removing this code. */ char buf[128]; int len, r; va_list tmp_args; va_copy(tmp_args, args); - /* vsnprintf() was properly checked but tor_vsnprintf() available so - * why not use it? */ - len = tor_vsnprintf(buf, sizeof(buf), fmt, tmp_args); + /* Use vsnprintf to retrieve needed length. tor_vsnprintf() is not an + * option here because it will simply return -1 if buf is not large enough + * to hold the complete string. + */ + len = vsnprintf(buf, sizeof(buf), fmt, tmp_args); va_end(tmp_args); + buf[sizeof(buf) - 1] = '\0'; + if (len < 0) { + *strp = NULL; + return -1; + } if (len < (int)sizeof(buf)) { *strp = tor_strdup(buf); return len; |