Administrivia: Fix erroneous GPL3+ licence notices "version d or later" (!) Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Copyright updates - update to GPLv3, etc. Update to GPLv3. secnet as actually installed is GPLv3+ anyway because it depends on python-ipaddr (Apache 2.0, which is GPLv2-incompatible), adns (now GPLv3+), and libgmp (now LGPLv3+). Also: * Add missing copyright notices and credits. * Get rid of old FSF street address; use URL instead. * Remove obsolete LICENCE.txt (which was for snprintf reimplementation). * Remove obsolete references to Cendio (for old ipaddr.py, now gone). Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Static buffers: Provide new rotating static buffer macros Provide new macros SBUF_DEFINE and SBUF which replace the open coded rotating static buffers in ipaddr_getbuf (ipaddr_to_string and subnet_to_string) and iaddr_to_string. No functional change. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Static buffers: Replace references to bufs[b] Introduce a new macro SBUF which currently refers to bufs[b]. We are going to change its definition in a moment. Splitting the patches up this way makes it easier to see that they're right. No functional change in this patch. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Static buffers: ipaddr_getbuf: Rename some variables Rename ipaddr_bufnum to b and ipaddr_bufs to bufs. That makes the naming consistent with the other ad-hoc rotating buffers in iaddr_to_string. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
NEW etc.: Use NEW at non-formulaic call sites Manually replace calls to safe_malloc with NEW. Calls where safe_malloc was used to allocate a byte array (or a string buffer) are left alone. Some simple calls to allocate a single object are replaced with NEW. (in COMM_APPLY, init_log, resolve_request, transform_cbcmac_module, TRANSFORM_CREATE_CORE). Some calls which were allocating arrays are replaced with NEW_ARY (in dict_keys, ipset_new). Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
NEW etc.: Replace most calls to safe_realloc_ary Replace with REALLOC_ARY whenever the array object size is not 1 In subnet_list_set_len and ipset_set_len we abolish the unnecessary temporary variable `nd'. In subnet_list_set_len we also simplify the assert integer overflow condition (the division is not needed because REALLOC_ARY and hence safe_malloc_ary will check for potential multiplication overflow). Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
NEW etc.: Use NEW_ARY Replace all calls to safe_malloc_ary with the NEW_ARY wrapper. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
NEW etc.: Use NEW in all obvious places Entirely automatic conversion, using the following Perl rune: perl -i~ -pe 's#^(\s+)(\w+)=safe_malloc\(sizeof\(\*\2\),"[^"]+"\);$#$1NEW($2);#' *.c conffile.fl conffile.y Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
util.h etc.: Provide MAX_RAW and MIN_RAW; etc. MAX and MIN are unsuitable for use where a constant expression is required. Provide MAX_RAW and MIN_RAW which are suitable but might evaluate the left argument twice. Remove max() in ipaddr.c and replace the call with one to MAX (not MAX_RAW. (The old max macro there is operator-priority-unsafe but there is only one call site and it happens to be OK.) We ae going to use MAX_RAW later. No functional change. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
cleanup: Replace a few calls to malloc/realloc with safe_malloc Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Make list_length and string_item_to_ipaddr const-correct. No functional change. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
subnet_to_string: Do not allocate None of the three call sites want to keep the value for any length of time - they just use it right away. Replace the allocation with a use of the round-robin buffers from ipaddr_getbuf, and remove the frees at the call sites. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
ipaddr_to_string: SECURITY: Do not allocate ipaddr_to_string is used in many places including runtime logging. Handling its memory allocation is annoyingly fiddly. Indeed there is at least one possible memory leak, which represents a potential denial of service bug. None of the callers keep the answers for any length of time. So make it return the next one of a series of round-robin buffers, instead, and remove all the freeing at all the call sites. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
integer arithmetic types: do not use unsigned for lengths In C it is not normally a good idea to use an unsigned integer type for integer values, even if they are known not ever to be zero (for example, because they are lengths). This is because C unsigned arithmetic has unhelpful behaviour when the values would become negative. In particular, comparing signed and unsigned integers, and doing arithmetic (especially subtraction) when unsigned integers are present, can be dangerous and lead to unexpected results. So fix the resulting warnings (which are due to -Wsign-compare which comes from -W) by making all lengths, counts (and iterators over them) and return values from scanf be of signed types, usually int32_t instead of uint32_t (but occasionally int). Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
integer and buffer overflows: introduce safe_malloc_ary When allocating an array, it is necessary to check that the multiplication (to compute the size in bytes) does not overflow. Do this in a new function safe_malloc_ary, which we call in both the places where safe_malloc was previously used with an unchecked multiplication. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
integer and buffer overflows: introduce a number of asserts In various places we add and increment integers, hoping that they don't overflow. We also prepend and append things to our internal buffer, which is of fixed size, without checking that they will fit. This means that malicious configuration (for example, long site names) might be able to take over the secnet program. So, add a whole lot of checking. Many of these places don't have a sensible way to return an error; in those cases we assert. Some of the checks are off-by-one in the sense that they say "assert(x<...)" when "<=" would be OK too. This is done to avoid having to think too hard about fenceposts, as it's a simple way to avoid introducing bugs. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk> Signed-off-by: Richard Kettlewell <richard@greenend.org.uk>
Import release 0.1.16
Import release 0.1.15
Import release 0.1.13