From 532c13693e97565fe50a8a788d669d3ec94ad822 Mon Sep 17 00:00:00 2001
From: Sebastian Hahn <sebastian@torproject.org>
Date: Tue, 26 Apr 2011 02:16:24 +0200
Subject: Fix a docstring

---
 src/or/control.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/or/control.c b/src/or/control.c
index 9f7739a402..28780d2989 100644
--- a/src/or/control.c
+++ b/src/or/control.c
@@ -3875,7 +3875,7 @@ static int bootstrap_problems = 0;
  * information and initial circuits.
  *
  * <b>status</b> is the new status, that is, what task we will be doing
- * next. <b>percent</b> is zero if we just started this task, else it
+ * next. <b>progress</b> is zero if we just started this task, else it
  * represents progress on the task. */
 void
 control_event_bootstrap(bootstrap_status_t status, int progress)
-- 
cgit v1.2.3-54-g00ecf


From 58a16a4d6f47728e029cc8380604bda262a40d30 Mon Sep 17 00:00:00 2001
From: Sebastian Hahn <sebastian@torproject.org>
Date: Tue, 26 Apr 2011 02:20:29 +0200
Subject: Add an assert to un-confuse clang's analyzer

The analyzer assumed that bootstrap_percent could be less than 0 when we
call control_event_bootstrap_problem(), which would mean we're calling
log_fn() with undefined values. The assert makes it clear this can't
happen.
---
 src/or/control.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/or/control.c b/src/or/control.c
index 28780d2989..926a465203 100644
--- a/src/or/control.c
+++ b/src/or/control.c
@@ -3931,6 +3931,9 @@ control_event_bootstrap_problem(const char *warn, int reason)
   char buf[BOOTSTRAP_MSG_LEN];
   const char *recommendation = "ignore";
 
+  /* bootstrap_percent must not be in "undefined" state here. */
+  tor_assert(status >= 0);
+
   if (bootstrap_percent == 100)
     return; /* already bootstrapped; nothing to be done here. */
 
-- 
cgit v1.2.3-54-g00ecf


From 80e57af50fe06ac76733ee99644c5efe797b2b8c Mon Sep 17 00:00:00 2001
From: Sebastian Hahn <sebastian@torproject.org>
Date: Tue, 26 Apr 2011 03:01:25 +0200
Subject: Appease clang - and my tortured mind

This possible div by 0 warning from clang's analyzer was quite fun to
track down. Turns out the current behaviour is safe.
---
 src/or/circuitbuild.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c
index 0e033a5899..2189e0e557 100644
--- a/src/or/circuitbuild.c
+++ b/src/or/circuitbuild.c
@@ -559,7 +559,9 @@ circuit_build_times_create_histogram(circuit_build_times_t *cbt,
  * Return the Pareto start-of-curve parameter Xm.
  *
  * Because we are not a true Pareto curve, we compute this as the
- * weighted average of the N=3 most frequent build time bins.
+ * weighted average of the N most frequent build time bins. N is either
+ * 1 if we don't have enough circuit build time data collected, or
+ * determined by the consensus parameter cbtnummodes (default 3).
  */
 static build_time_t
 circuit_build_times_get_xm(circuit_build_times_t *cbt)
@@ -572,6 +574,9 @@ circuit_build_times_get_xm(circuit_build_times_t *cbt)
   int n=0;
   int num_modes = circuit_build_times_default_num_xm_modes();
 
+  tor_assert(nbins > 0);
+  tor_assert(num_modes > 0);
+
   // Only use one mode if < 1000 buildtimes. Not enough data
   // for multiple.
   if (cbt->total_build_times < CBT_NCIRCUITS_TO_OBSERVE)
@@ -579,6 +584,7 @@ circuit_build_times_get_xm(circuit_build_times_t *cbt)
 
   nth_max_bin = (build_time_t*)tor_malloc_zero(num_modes*sizeof(build_time_t));
 
+  /* Determine the N most common build times */
   for (i = 0; i < nbins; i++) {
     if (histogram[i] >= histogram[nth_max_bin[0]]) {
       nth_max_bin[0] = i;
@@ -600,6 +606,10 @@ circuit_build_times_get_xm(circuit_build_times_t *cbt)
              histogram[nth_max_bin[n]]);
   }
 
+  /* The following assert is safe, because we don't get called when we
+   * haven't observed at least CBT_MIN_MIN_CIRCUITS_TO_OBSERVE circuits. */
+  tor_assert(bin_counts > 0);
+
   ret /= bin_counts;
   tor_free(histogram);
   tor_free(nth_max_bin);
-- 
cgit v1.2.3-54-g00ecf


From 8ebb3ce6e27c104e35d65662c04d23795f2b5605 Mon Sep 17 00:00:00 2001
From: Sebastian Hahn <sebastian@torproject.org>
Date: Tue, 26 Apr 2011 03:24:04 +0200
Subject: CONN_LOG_PROTECT()'s first argument may not be 0

Make that explicit by adding an assert and removing a null-check. All of
its callers currently depend on the argument being non-null anyway.
Silences a few clang complaints.
---
 src/or/or.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/or/or.h b/src/or/or.h
index 7d354c8fe1..f693ad908c 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -3203,7 +3203,9 @@ typedef enum buildtimeout_set_event_t {
  */
 #define CONN_LOG_PROTECT(conn, stmt)                                    \
   STMT_BEGIN                                                            \
-    int _log_conn_is_control = (conn && conn->type == CONN_TYPE_CONTROL); \
+    int _log_conn_is_control;                                           \
+    tor_assert(conn);                                                   \
+    _log_conn_is_control = (conn->type == CONN_TYPE_CONTROL);           \
     if (_log_conn_is_control)                                           \
       disable_control_logging();                                        \
   STMT_BEGIN stmt; STMT_END;                                            \
-- 
cgit v1.2.3-54-g00ecf


From 1827e60976d54d1917dfc54bdf62b4818662ac12 Mon Sep 17 00:00:00 2001
From: Sebastian Hahn <sebastian@torproject.org>
Date: Tue, 26 Apr 2011 04:23:35 +0200
Subject: Fix a potential null deref when rebuilding md cache

Issue discovered using clang's static analyzer
---
 changes/mdesc_null_deref | 5 +++++
 src/or/microdesc.c       | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 changes/mdesc_null_deref

diff --git a/changes/mdesc_null_deref b/changes/mdesc_null_deref
new file mode 100644
index 0000000000..30f0280536
--- /dev/null
+++ b/changes/mdesc_null_deref
@@ -0,0 +1,5 @@
+  o Minor bugfixes:
+    - Avoid a possible null-pointer dereference when rebuilding the mdesc
+      cache without actually having any descriptors to cache. Bugfix on
+      0.2.2.6-alpha. Issue discovered using clang's static analyzer.
+
diff --git a/src/or/microdesc.c b/src/or/microdesc.c
index 73d2285009..5740c40d5f 100644
--- a/src/or/microdesc.c
+++ b/src/or/microdesc.c
@@ -423,7 +423,7 @@ microdesc_cache_rebuild(microdesc_cache_t *cache, int force)
   cache->journal_len = 0;
   cache->bytes_dropped = 0;
 
-  new_size = (int)cache->cache_content->size;
+  new_size = cache->cache_content ? (int)cache->cache_content->size : 0;
   log_info(LD_DIR, "Done rebuilding microdesc cache. "
            "Saved %d bytes; %d still used.",
            orig_size-new_size, new_size);
-- 
cgit v1.2.3-54-g00ecf


From 1c668540fef93d71e72cfed73955ee705f27163e Mon Sep 17 00:00:00 2001
From: Sebastian Hahn <sebastian@torproject.org>
Date: Tue, 26 Apr 2011 04:38:55 +0200
Subject: Fix potential null pointer deref during dirvote

Found by using clang's analyzer.
---
 changes/dirvote_null_deref | 4 ++++
 src/or/dirvote.c           | 6 +++---
 2 files changed, 7 insertions(+), 3 deletions(-)
 create mode 100644 changes/dirvote_null_deref

diff --git a/changes/dirvote_null_deref b/changes/dirvote_null_deref
new file mode 100644
index 0000000000..65dc519f52
--- /dev/null
+++ b/changes/dirvote_null_deref
@@ -0,0 +1,4 @@
+  o Minor bugfixes:
+    - Fix a potential null-pointer dereference while computing a consensus.
+      Bugfix on tor-0.2.0.3-alpha, found with the help of clang's analyzer.
+
diff --git a/src/or/dirvote.c b/src/or/dirvote.c
index db2eaf0f4f..750c649f51 100644
--- a/src/or/dirvote.c
+++ b/src/or/dirvote.c
@@ -444,9 +444,9 @@ compute_routerstatus_consensus(smartlist_t *votes, int consensus_method,
     if (cur && !compare_vote_rs(cur, rs)) {
       ++cur_n;
     } else {
-      if (cur_n > most_n ||
-          (cur && cur_n == most_n &&
-           cur->status.published_on > most_published)) {
+      if (cur && (cur_n > most_n ||
+                  (cur_n == most_n &&
+                   cur->status.published_on > most_published))) {
         most = cur;
         most_n = cur_n;
         most_published = cur->status.published_on;
-- 
cgit v1.2.3-54-g00ecf


From d7d25558fafbff15fb10c6e226824f9f0f6d99c7 Mon Sep 17 00:00:00 2001
From: Sebastian Hahn <sebastian@torproject.org>
Date: Tue, 26 Apr 2011 04:45:48 +0200
Subject: Remove a duplicated line, found by clang

---
 src/or/connection.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/or/connection.c b/src/or/connection.c
index 6e7bbd5bad..fc2097f9a9 100644
--- a/src/or/connection.c
+++ b/src/or/connection.c
@@ -1240,7 +1240,7 @@ connection_connect(connection_t *conn, const char *address,
 {
   int s, inprogress = 0;
   char addrbuf[256];
-  struct sockaddr *dest_addr = (struct sockaddr*) addrbuf;
+  struct sockaddr *dest_addr;
   socklen_t dest_addr_len;
   or_options_t *options = get_options();
   int protocol_family;
-- 
cgit v1.2.3-54-g00ecf


From 9da4e25183317ea87d1e7f14e9b13e0530ea0240 Mon Sep 17 00:00:00 2001
From: Sebastian Hahn <sebastian@torproject.org>
Date: Tue, 26 Apr 2011 04:50:15 +0200
Subject: Remove some dead code, found by clang

---
 src/or/connection_or.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/or/connection_or.c b/src/or/connection_or.c
index 4b932ec51e..c6049d51f6 100644
--- a/src/or/connection_or.c
+++ b/src/or/connection_or.c
@@ -1414,9 +1414,8 @@ connection_or_send_netinfo(or_connection_t *conn)
     len = append_address_to_payload(out, &my_addr);
     if (len < 0)
       return -1;
-    out += len;
   } else {
-    *out++ = 0;
+    *out = 0;
   }
 
   connection_or_write_cell_to_buf(&cell, conn);
-- 
cgit v1.2.3-54-g00ecf