10 files changed, 40 insertions, 28 deletions

diff --git a/changes/bug16913 b/changes/bug16913
new file mode 100644
index 0000000000..464140b538
--- /dev/null
+++ b/changes/bug16913
@@ -0,0 +1,4 @@
+  o Minor bugfixes:
+    - Fix an usage message of tor-resolve(1) so that it no longer lists
+      the removed -F option. Resolves ticket #16913; bugfix on Tor
+      0.2.2.28-beta.
diff --git a/changes/bug16924 b/changes/bug16924
new file mode 100644
index 0000000000..a1bc96e54d
--- /dev/null
+++ b/changes/bug16924
@@ -0,0 +1,6 @@
+  o Minor bugfixes:
+    - When calling channel_free_list(), avoid calling smartlist_remove()
+      while inside a FOREACH loop. This partially reverts commit
+      17356fe7fd96af where the correct SMARTLIST_DEL_CURRENT was
+      removed.  Fixes bug 16929; bugfix on 0.2.4.4-alpha.
+
diff --git a/changes/bug16929 b/changes/bug16929
new file mode 100644
index 0000000000..83e60d7eb2
--- /dev/null
+++ b/changes/bug16929
@@ -0,0 +1,5 @@
+  o Minor bugfixes:
+    - include the TUNING document in our source tarball. It is referred
+      to in the ChangeLog and an error message. Fixes bug 16929; bugfix
+      on 0.2.6.1-alpha.
+
diff --git a/doc/include.am b/doc/include.am
index 47f1ab3433..ff2de845b2 100644
--- a/doc/include.am
+++ b/doc/include.am
@@ -37,7 +37,7 @@ endif
 EXTRA_DIST+= doc/HACKING doc/asciidoc-helper.sh			\
              $(html_in) $(man_in) $(txt_in)			\
              doc/state-contents.txt				\
-             doc/torrc_format.txt
+             doc/torrc_format.txt doc/TUNING
 
 docdir = @docdir@
 
diff --git a/src/ext/ed25519/donna/modm-donna-64bit.h b/src/ext/ed25519/donna/modm-donna-64bit.h
index b22df2be75..012ea9ea08 100644
--- a/src/ext/ed25519/donna/modm-donna-64bit.h
+++ b/src/ext/ed25519/donna/modm-donna-64bit.h
@@ -261,6 +261,10 @@ contract256_slidingwindow_modm(signed char r[256], const bignum256modm s, int wi
 			continue;
 
 		for (b = 1; (b < (soplen - j)) && (b <= 6); b++) {
+			/* XXX Tor: coverity scan says that r[j+b] can
+			 * overflow, but that's not possible: b < (soplen-j)
+			 * guarantees that b + j < soplen, so b+j < 256,
+			 * so the index doesn't overflow. */
 			if ((r[j] + (r[j + b] << b)) <= m) {
 				r[j] += r[j + b] << b;
 				r[j + b] = 0;
diff --git a/src/or/channel.c b/src/or/channel.c
index af095026e4..21522a5303 100644
--- a/src/or/channel.c
+++ b/src/or/channel.c
@@ -3069,6 +3069,7 @@ channel_free_list(smartlist_t *channels, int mark_for_close)
     if (curr->cmux) {
       circuitmux_detach_all_circuits(curr->cmux, NULL);
     }
+    SMARTLIST_DEL_CURRENT(channels, curr);
     channel_unregister(curr);
     if (mark_for_close) {
       if (!CHANNEL_CONDEMNED(curr)) {
diff --git a/src/or/dirserv.c b/src/or/dirserv.c
index 58ab009cbf..e5b180696b 100644
--- a/src/or/dirserv.c
+++ b/src/or/dirserv.c
@@ -3745,7 +3745,9 @@ validate_recommended_package_line(const char *line)
     cp = end_of_word + 1;
   }
 
-  return (n_entries == 0) ? 0 : 1;
+  /* If we reach this point, we have at least 1 entry. */
+  tor_assert(n_entries > 0);
+  return 1;
 }
 
 /** Release all storage used by the directory server. */
diff --git a/src/or/rendservice.c b/src/or/rendservice.c
index db6bc4b72e..f3a09ddaf2 100644
--- a/src/or/rendservice.c
+++ b/src/or/rendservice.c
@@ -40,7 +40,7 @@ static rend_intro_point_t *find_expiring_intro_point(
 
 static extend_info_t *find_rp_for_intro(
     const rend_intro_cell_t *intro,
-    uint8_t *need_free_out, char **err_msg_out);
+    char **err_msg_out);
 
 static int intro_point_accepted_intro_count(rend_intro_point_t *intro);
 static int intro_point_should_expire_now(rend_intro_point_t *intro,
@@ -1456,13 +1456,6 @@ rend_service_receive_introduction(origin_circuit_t *circuit,
   rend_intro_cell_t *parsed_req = NULL;
   /* Rendezvous point */
   extend_info_t *rp = NULL;
-  /*
-   * We need to look up and construct the extend_info_t for v0 and v1,
-   * but all the info is in the cell and it's constructed by the parser
-   * for v2 and v3, so freeing it would be a double-free.  Use this to
-   * keep track of whether we should free it.
-   */
-  uint8_t need_rp_free = 0;
   /* XXX not handled yet */
   char buf[RELAY_PAYLOAD_SIZE];
   char keys[DIGEST_LEN+CPATH_KEY_MATERIAL_LEN]; /* Holds KH, Df, Db, Kf, Kb */
@@ -1602,7 +1595,7 @@ rend_service_receive_introduction(origin_circuit_t *circuit,
   ++(intro_point->accepted_introduce2_count);
 
   /* Find the rendezvous point */
-  rp = find_rp_for_intro(parsed_req, &need_rp_free, &err_msg);
+  rp = find_rp_for_intro(parsed_req, &err_msg);
   if (!rp)
     goto log_error;
 
@@ -1761,27 +1754,25 @@ rend_service_receive_introduction(origin_circuit_t *circuit,
   /* Free the parsed cell */
   rend_service_free_intro(parsed_req);
 
-  /* Free rp if we must */
-  if (need_rp_free) extend_info_free(rp);
+  /* Free rp */
+  extend_info_free(rp);
 
   return status;
 }
 
 /** Given a parsed and decrypted INTRODUCE2, find the rendezvous point or
- * return NULL and an error string if we can't.
- */
-
+ * return NULL and an error string if we can't. Return a newly allocated
+ * extend_info_t* for the introduction point. */
 static extend_info_t *
 find_rp_for_intro(const rend_intro_cell_t *intro,
-                  uint8_t *need_free_out, char **err_msg_out)
+                  char **err_msg_out)
 {
   extend_info_t *rp = NULL;
   char *err_msg = NULL;
   const char *rp_nickname = NULL;
   const node_t *node = NULL;
-  uint8_t need_free = 0;
 
-  if (!intro || !need_free_out) {
+  if (!intro) {
     if (err_msg_out)
       err_msg = tor_strdup("Bad parameters to find_rp_for_intro()");
 
@@ -1812,13 +1803,11 @@ find_rp_for_intro(const rend_intro_cell_t *intro,
       }
 
       goto err;
-    } else {
-      need_free = 1;
     }
   } else if (intro->version == 2) {
-    rp = intro->u.v2.extend_info;
+    rp = extend_info_dup(intro->u.v2.extend_info);
   } else if (intro->version == 3) {
-    rp = intro->u.v3.extend_info;
+    rp = extend_info_dup(intro->u.v3.extend_info);
   } else {
     if (err_msg_out) {
       tor_asprintf(&err_msg,
@@ -1836,8 +1825,6 @@ find_rp_for_intro(const rend_intro_cell_t *intro,
   else tor_free(err_msg);
 
  done:
-  if (rp && need_free_out) *need_free_out = need_free;
-
   return rp;
 }
 
diff --git a/src/or/routerkeys.c b/src/or/routerkeys.c
index 80b26e6bf8..50659fcb69 100644
--- a/src/or/routerkeys.c
+++ b/src/or/routerkeys.c
@@ -295,6 +295,7 @@ ed_key_init_from_file(const char *fname, uint32_t flags,
     if (rv == 0) {
       have_secret = 1;
       loaded_secret_fname = secret_fname;
+      tor_assert(got_tag);
     } else {
       if (errno != ENOENT && norepair) {
         tor_log(severity, LD_OR, "Unable to read %s: %s", secret_fname,
@@ -482,10 +483,12 @@ ed_key_init_from_file(const char *fname, uint32_t flags,
     tor_log(severity, LD_OR, "Cert was for wrong key");
     bad_cert = 1;
   } else if (signing_key &&
-             tor_cert_checksig(cert, &signing_key->pubkey, now) < 0 &&
-             (signing_key || cert->cert_expired)) {
+             tor_cert_checksig(cert, &signing_key->pubkey, now) < 0) {
     tor_log(severity, LD_OR, "Can't check certificate");
     bad_cert = 1;
+  } else if (cert->cert_expired) {
+    tor_log(severity, LD_OR, "Certificate is expired");
+    bad_cert = 1;
   } else if (signing_key && cert->signing_key_included &&
              ! ed25519_pubkey_eq(&signing_key->pubkey, &cert->signing_key)) {
     tor_log(severity, LD_OR, "Certificate signed by unexpectd key!");
diff --git a/src/tools/tor-resolve.c b/src/tools/tor-resolve.c
index 08bce15e69..29f85c4d17 100644
--- a/src/tools/tor-resolve.c
+++ b/src/tools/tor-resolve.c
@@ -327,7 +327,7 @@ do_resolve(const char *hostname, uint32_t sockshost, uint16_t socksport,
 static void
 usage(void)
 {
-  puts("Syntax: tor-resolve [-4] [-5] [-v] [-x] [-F] [-p port] "
+  puts("Syntax: tor-resolve [-4] [-5] [-v] [-x] [-p port] "
        "hostname [sockshost[:socksport]]");
   exit(1);
 }