summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2011-01-15fold in another set of changestor-0.2.2.21-alphaRoger Dingledine
2011-01-15Merge branch 'maint-0.2.2' into release-0.2.2Roger Dingledine
2011-01-15Merge commit 'sebastian/bug2317' into maint-0.2.2Roger Dingledine
2011-01-15add in missing changelog entriesRoger Dingledine
2011-01-15Merge branch 'maint-0.2.2' into release-0.2.2Roger Dingledine
2011-01-15Merge branch 'maint-0.2.1' into maint-0.2.2Roger Dingledine
2011-01-150.2.1.29 changelog and blurbRoger Dingledine
2011-01-15fold in more changes entriesRoger Dingledine
2011-01-15repeat overlapping changelog entriesRoger Dingledine
2011-01-15bump to 0.2.2.21-alphaRoger Dingledine
2011-01-15Merge branch 'maint-0.2.2' into release-0.2.2Roger Dingledine
2011-01-15Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2Nick Mathewson
2011-01-15Fix a couple of non-cleared key issues in hidden servicesNick Mathewson
we need to do more hunting, but this fixes the ones mentioned in 2385.
2011-01-15Zero out some more key data before freeing itNick Mathewson
Found by cypherpunks; fixes bug 2384.
2011-01-15Update the spec with the new boundsSebastian Hahn
2011-01-15Tighten accepted circwindow parametersSebastian Hahn
Based on discussion in bug 2317, these values seem to be sane.
2011-01-15Provide constant limits for all consensus paramsSebastian Hahn
This addresses Nick's concern about doing non-constant bounds checking inside networkstatus_get_param().
2011-01-15Fix a typo spotted by RogerSebastian Hahn
2011-01-15Sanity-check consensus param valuesSebastian Hahn
We need to make sure that the worst thing that a weird consensus param can do to us is to break our Tor (and only if the other Tors are reliably broken in the same way) so that the majority of directory authorities can't pull any attacks that are worse than the DoS that they can trigger by simply shutting down. One of these worse things was the cbtnummodes parameter, which could lead to heap corruption on some systems if the value was sufficiently large. This commit fixes this particular issue and also introduces sanity checking for all consensus parameters.
2011-01-15Make get_net_param_from_list() staticSebastian Hahn
This prepares for making the accessor method for consensus parameters safer in the next commit.
2011-01-15Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2Nick Mathewson
Conflicts: src/or/routerparse.c src/or/test.c
2011-01-15Merge branch 'bug2352_obsize' into maint-0.2.1Nick Mathewson
2011-01-15Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2Nick Mathewson
2011-01-15Add missing check for hostname answer_len in dnsserv sizeNick Mathewson
This is checked elsewhere too, but let's be RFC-conformant.
2011-01-15Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2Nick Mathewson
2011-01-15Merge branch 'bug2332_part2' into maint-0.2.1Nick Mathewson
2011-01-15Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2Nick Mathewson
2011-01-15Merge branch 'bug2324_uncompress' into maint-0.2.1Nick Mathewson
2011-01-15clean up message; explain a magic number in a commentNick Mathewson
2011-01-15Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2Nick Mathewson
Conflicts: src/or/config.c src/or/networkstatus.c src/or/rendcommon.c src/or/routerparse.c src/or/test.c
2011-01-15make the description of tolen_asserts more direNick Mathewson
We have a CVE # for this bug.
2011-01-15Fix a heap overflow found by debuger, and make it harder to make that ↵Nick Mathewson
mistake again Our public key functions assumed that they were always writing into a large enough buffer. In one case, they weren't. (Incorporates fixes from sebastian)
2011-01-15Always nul-terminate the result passed to evdns_server_add_ptr_replyNick Mathewson
In dnsserv_resolved(), we carefully made a nul-terminated copy of the answer in a PTR RESOLVED cell... then never used that nul-terminated copy. Ouch. Surprisingly this one isn't as huge a security problem as it could be. The only place where the input to dnsserv_resolved wasn't necessarily nul-terminated was when it was called indirectly from relay.c with the contents of a relay cell's payload. If the end of the payload was filled with junk, eventdns.c would take the strdup() of the name [This part is bad; we might crash there if the cell is in a bad part of the stack or the heap] and get a name of at least length 495[*]. eventdns.c then rejects any name of length over 255, so the bogus data would be neither transmitted nor altered. [*] If the name was less than 495 bytes long, the client wouldn't actually be reading off the end of the cell. Nonetheless this is a reasonably annoying bug. Better fix it. Found while looking at bug 2332, reported by doorss. Bugfix on 0.2.0.1-alpha.
2011-01-15catch another overlong malloc possibility. found by cypherpunksNick Mathewson
2011-01-15Fix another instance of "128" in buffers.c. More bug2330.Nick Mathewson
2011-01-12Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2Nick Mathewson
2011-01-12Make our replacement INT32_MAX always signedNick Mathewson
The C standard says that INT32_MAX is supposed to be a signed integer. On platforms that have it, we get the correct platform-defined value. Our own replacement, however, was unsigned. That's going to cause a bug somewhere eventually.
2011-01-12Merge remote branch 'public/bug2363' into maint-0.2.2Nick Mathewson
2011-01-12Merge remote branch 'sebastian/bug2337' into maint-0.2.2Nick Mathewson
2011-01-12Merge branch 'bug2331' into maint-0.2.2Nick Mathewson
2011-01-12add a missing "not" in bug2331 changelogNick Mathewson
2011-01-12Merge branch 'bug2346' into maint-0.2.2Nick Mathewson
2011-01-12Explain bug2346 fix better based on suggestions from armaNick Mathewson
2011-01-12Fix a autoconf warningSebastian Hahn
2011-01-10Pull up more data when parsing socks messagesNick Mathewson
Previously, we only looked at up to 128 bytes. This is a bad idea since socks messages can be at least 256+x bytes long. Now we look at up to 512 bytes; this should be enough for 0.2.2.x to handle all valid SOCKS messages. For 0.2.3.x, we can think about handling trickier cases. Fixes 2330. Bugfix on 0.2.0.16-alpha.
2011-01-10Wait 60 minutes before retrying failed state save; bug2346Nick Mathewson
2011-01-10Always nul-terminate the result passed to evdns_server_add_ptr_replyNick Mathewson
In dnsserv_resolved(), we carefully made a nul-terminated copy of the answer in a PTR RESOLVED cell... then never used that nul-terminated copy. Ouch. Surprisingly this one isn't as huge a security problem as it could be. The only place where the input to dnsserv_resolved wasn't necessarily nul-terminated was when it was called indirectly from relay.c with the contents of a relay cell's payload. If the end of the payload was filled with junk, eventdns.c would take the strdup() of the name [This part is bad; we might crash there if the cell is in a bad part of the stack or the heap] and get a name of at least length 495[*]. eventdns.c then rejects any name of length over 255, so the bogus data would be neither transmitted nor altered. [*] If the name was less than 495 bytes long, the client wouldn't actually be reading off the end of the cell. Nonetheless this is a reasonably annoying bug. Better fix it. Found while looking at bug 2332, reported by doorss. Bugfix on 0.2.0.1-alpha.
2011-01-10Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2Nick Mathewson
2011-01-10Impose maximum sizes on parsed objectsNick Mathewson
An object, you'll recall, is something between -----BEGIN----- and -----END----- tags in a directory document. Some of our code, as doorss has noted in bug 2352, could assert if one of these ever overflowed SIZE_T_CEILING but not INT_MAX. As a solution, I'm setting a maximum size on a single object such that neither of these limits will ever be hit. I'm also fixing the INT_MAX checks, just to be sure.
2011-01-10Add logic in routerparse to not read overlong private keysNick Mathewson
I am not at all sure that it is possible to trigger a bug here, but better safe than sorry.
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion