chiark / gitweb /
summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Ian Jackson [Sun, 19 Jun 2011 15:25:26 +0000 (16:25 +0100)]
integer arithmetic types: do not use unsigned for site timeouts etc.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 12 Jun 2011 21:34:09 +0000 (22:34 +0100)]
integer arithmetic types: do not use unsigned for lengths
In C it is not normally a good idea to use an unsigned integer type
for integer values, even if they are known not ever to be zero (for
example, because they are lengths). This is because C unsigned
arithmetic has unhelpful behaviour when the values would become
negative.
In particular, comparing signed and unsigned integers, and doing
arithmetic (especially subtraction) when unsigned integers are
present, can be dangerous and lead to unexpected results.
So fix the resulting warnings (which are due to -Wsign-compare which
comes from -W) by making all lengths, counts (and iterators over them)
and return values from scanf be of signed types, usually int32_t
instead of uint32_t (but occasionally int).
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 12 Jun 2011 21:37:24 +0000 (22:37 +0100)]
integer arithmetic types: make get_uint32, get_uint16 return the correct type
Previously get_uint32 and get_uint16 would return whatever the usual
arithmetic conversions produced. (The previous code was not in fact
even guaranteed to work properly on a machine with 16-bit ints.)
Now we cast the individual bytes before shifting.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 12 Jun 2011 19:35:47 +0000 (20:35 +0100)]
integer arithmetic types: correct perhaps-possible negative timeout situation
site_settimeout assumes that its timeout parameter is not before now.
Following the logic of the code this would appear to be currently
true, although I'm not absolutely certain.
Nevertheless it would be better to avoid this assumption. Instead,
use a signed variable for the time until the timeout, and explicitly
turn negative values into zero.
The use of an int64_t will not cause an arithmetic overflow provided
that no timeouts are more than 2^64 milliseconds (around 580x10^6 yr)
in the past or the future.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 12 Jun 2011 21:28:33 +0000 (22:28 +0100)]
integer and buffer overflows: introduce safe_malloc_ary
When allocating an array, it is necessary to check that the
multiplication (to compute the size in bytes) does not overflow.
Do this in a new function safe_malloc_ary, which we call in both the
places where safe_malloc was previously used with an unchecked
multiplication.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 12 Jun 2011 21:23:15 +0000 (22:23 +0100)]
integer and buffer overflows: introduce a number of asserts
In various places we add and increment integers, hoping that they
don't overflow. We also prepend and append things to our internal
buffer, which is of fixed size, without checking that they will fit.
This means that malicious configuration (for example, long site names)
might be able to take over the secnet program.
So, add a whole lot of checking. Many of these places don't have a
sensible way to return an error; in those cases we assert. Some of
the checks are off-by-one in the sense that they say "assert(x<...)"
when "<=" would be OK too. This is done to avoid having to think too
hard about fenceposts, as it's a simple way to avoid introducing bugs.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Signed-off-by: Richard Kettlewell <richard@greenend.org.uk>
Ian Jackson [Sun, 12 Jun 2011 19:00:10 +0000 (20:00 +0100)]
possible security fix: do not call slilog with intended message as format string
vMessage would call slilog with part of the intended log message as
the format string. This is a potential format string vulnerability,
detected by -Wformat-security.
I have not analysed the code in detail to determine in exactly which
circumstances a secnet installation will be vulnerable, but in general
a vulnerability (at least for DOS) will exist in any situation where
an attacker can cause a log message to contain things which look like
printf directives.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 12 Jun 2011 19:03:33 +0000 (20:03 +0100)]
logging: provide vslilog as well as slilog
In general it is a mistake to provide a varargs function which takes a
format string, but not the corresponding function taking a va_list.
We implement slilog in terms of vslilog in the obvious way.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sat, 11 Jun 2011 11:11:15 +0000 (12:11 +0100)]
cleanup: specify never-interactive option for flex scanner
We never parse configuration interactively. That's just as well,
because without "%option never-interactive" flex generates a redundant
declaration of isatty which upsets -Wredundant-decls.
This is a bug in flex IMO but the workaround is fine for secnet.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sat, 11 Jun 2011 11:07:48 +0000 (12:07 +0100)]
cleanup: use flex-generated declarations for scanner interface
We now pass the --header=... option to flex. This causes it to
generate a header file describing the flex interface. We #include
this almost everywhere we #include conffile_internal.h, and that makes
the declarations of yyin and yylex in conffile_internal.h redundant so
remove them.
Note that flex generates a conffile.yy.c which also contains many of
the same declarations as in conffile.yy.h. So, unfortunately, we
should not #include conffile.yy.h in conffile.hh.c and therefore not
in conffile_internal.h either (if we want -Wredundant-decls, which we do).
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 5 Jun 2011 12:58:06 +0000 (13:58 +0100)]
cleanup: move declaration of version[] into secnet.h
Also, #include secnet.h in the autogenerated version.c.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Wed, 25 May 2011 20:00:20 +0000 (21:00 +0100)]
cleanup: fix up the type of string buffers
vsnprintf expects a char*, and the format string passed to ->log does
too, so make buffers be char[].
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Signed-off-by: Richard Kettlewell <richard@greenend.org.uk>
Ian Jackson [Wed, 25 May 2011 20:00:06 +0000 (21:00 +0100)]
cleanup: turn off some unused flex options
We do not use yyunput or yyinput. Turning them off slightly improves
the scanner performance (not that that's important) but also prevents
"defined but not used" compiler warnings.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 5 Jun 2011 12:59:01 +0000 (13:59 +0100)]
cleanup: remove other redundant declarations
These declarations are now in secnet.h.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sat, 11 Jun 2011 10:18:21 +0000 (11:18 +0100)]
cleanup: remove redundant "init_module" declarations
These declarations are now provided in secnet.h and should not appear
in individual .c files.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Mon, 16 May 2011 10:13:59 +0000 (11:13 +0100)]
cleanup: move declarations of external objects into header files
It is not a good idea to declare external objects in .c files. Every
external object (ie, object with external linkage) should be declared
exactly once in a .h file, and every .c file that refers to it or
defines it should #include that header.
When combined with appropriate compiler warnings, this ensures that
every file sees the same signature for every such object. (At least
for functions.)
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Wed, 25 May 2011 20:00:36 +0000 (21:00 +0100)]
cleanup: add many compiler warning options
This is a set of warning options which are useful and IMO should be
enabled in secnet. Currently the code is not warning-clean to the
required standard; subsequent changes will fix the warnings.
Signed-off-by: Richard Kettlewell <richard@greenend.org.uk>
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 12 Jun 2011 21:59:39 +0000 (22:59 +0100)]
build system: commit configure
Commit configure (as generated by autoconf 2.67-2 Debian i386) into
the repo and remove it from .gitignore.
This now means that, provided you don't want to modify configure.in,
you can build secnet from a git clone without autoconf installed and
without any worries about the autoconf version.
If you _do_ modify configure.in, the resulting changes to configure
will end up in the repo, just as previously changes to config.h.in
were committed too.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 12 Jun 2011 21:58:57 +0000 (22:58 +0100)]
build system: rerun autoheader
Run a recent autoheader (autoconf 2.67-2 from Debian i386) and commit
the resulting config.h.in.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 5 Jun 2011 12:43:54 +0000 (13:43 +0100)]
build system: remove *~ files in clean target
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Richard Kettlewell [Sun, 19 Jun 2011 13:20:54 +0000 (14:20 +0100)]
cleanup: add a .dir-locals.el
Ensures indent level is right for Emacs users.
Signed-off-by: Richard Kettlewell <richard@greenend.org.uk>
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 5 Jun 2011 12:43:16 +0000 (13:43 +0100)]
build system: add a .gitignore
Ignore all files generated by running autoconf, ./configure, and make,
and the debian build, and editor backup files.
(The files generated by running autoheader are committed and therefore
we don't add them to .gitignore. There is probably a mistake here,
which will be fixed later in this series.)
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Signed-off-by: Richard Kettlewell <richard@greenend.org.uk>
Stephen Early [Tue, 18 Mar 2008 18:21:25 +0000 (18:21 +0000)]
Import release 0.1.18
Stephen Early [Tue, 14 Jun 2005 23:24:02 +0000 (00:24 +0100)]
Python encoding declaration
Add encoding declaration to ipaddr.py to stop deprecation warnings on
recent python implementations.
Stephen Early [Sat, 11 Jun 2005 23:18:00 +0000 (00:18 +0100)]
Import release 0.1.17
Stephen Early [Wed, 6 Apr 2005 00:58:29 +0000 (01:58 +0100)]
MacOS X support
Patch from Richard Kettlewell <richard@sfere.greenend.org.uk> to
support MacOS X; see also http://www.greenend.org.uk/rjk/2004/osx.html
Stephen Early [Wed, 6 Apr 2005 00:44:21 +0000 (01:44 +0100)]
Minor Makefile update
Update bison pattern rule to indicate that both the .tab.c and .tab.h
files are generated by the same command.
Stephen Early [Wed, 6 Apr 2005 00:30:07 +0000 (01:30 +0100)]
Update i386 implementation of ip_csum
Update i386 implementation of ip_csum from recent linux
include/asm-i386/checksum.h to fix gcc quote syntax issue.
Stephen Early [Wed, 6 Apr 2005 00:23:59 +0000 (01:23 +0100)]
Rename log() to slilog()
Rename global 'log' to 'slilog' to avoid conflict with gcc built-in
log() function.
Stephen Early [Wed, 6 Apr 2005 00:18:28 +0000 (01:18 +0100)]
autoconf-related updates from Ross Younger <ross@crazyscot.com>
configure.in:
+ require autoconf 2.50
+ use new AC_INIT syntax (NB. This required me to specify an explicit
package version number and maintainer address!)
+ fix linux/if.h header check
+ add some quoting
+ barf at configure time if gmp, fl or adns are missing
+ use new AC_LIBOBJ syntax for snprintf and getopt
+ include config.h fragments formerly in config.h.bot and config.h.top
Makefile.in: distfiles and dependencies updated to suit.
config.h.bot and config.h.top: removed.
Stephen Early [Fri, 19 Sep 2003 14:40:00 +0000 (15:40 +0100)]
Import release 0.1.16
Stephen Early [Thu, 21 Feb 2002 16:28:00 +0000 (16:28 +0000)]
Import release 0.1.15
Stephen Early [Fri, 28 Dec 2001 19:31:00 +0000 (19:31 +0000)]
Import release 0.1.14
Stephen Early [Thu, 6 Dec 2001 17:36:00 +0000 (17:36 +0000)]
Import release 0.1.13
Stephen Early [Mon, 5 Nov 2001 14:51:00 +0000 (14:51 +0000)]
Import release 0.1.12
Stephen Early [Sat, 27 Oct 2001 14:29:00 +0000 (15:29 +0100)]
Import release 0.1.11
Stephen Early [Mon, 22 Oct 2001 13:13:00 +0000 (14:13 +0100)]
Import release 0.1.10
Stephen Early [Sat, 20 Oct 2001 17:03:00 +0000 (18:03 +0100)]
Import release 0.1.9
Stephen Early [Tue, 16 Oct 2001 13:05:00 +0000 (14:05 +0100)]
Import release 0.1.8
Stephen Early [Mon, 15 Oct 2001 00:37:00 +0000 (01:37 +0100)]
Import release 0.1.7
Stephen Early [Sat, 13 Oct 2001 17:02:00 +0000 (18:02 +0100)]
Import release 0.1.6
Stephen Early [Thu, 11 Oct 2001 17:16:00 +0000 (18:16 +0100)]
Import release 0.1.5
Stephen Early [Wed, 10 Oct 2001 23:37:00 +0000 (00:37 +0100)]
Import release 0.1.4
Stephen Early [Wed, 10 Oct 2001 15:11:00 +0000 (16:11 +0100)]
Import release 0.1.3
Stephen Early [Thu, 4 Oct 2001 16:57:00 +0000 (17:57 +0100)]
Import release 0.1.2
Stephen Early [Thu, 27 Sep 2001 18:10:00 +0000 (19:10 +0100)]
Import release 0.1.1
Stephen Early [Tue, 25 Sep 2001 23:19:00 +0000 (00:19 +0100)]
Import release 0.1.0
Stephen Early [Mon, 24 Sep 2001 16:25:00 +0000 (17:25 +0100)]
Import release 0.09
Stephen Early [Mon, 24 Sep 2001 13:25:00 +0000 (14:25 +0100)]
Import release 0.08
Stephen Early [Sun, 23 Sep 2001 23:48:00 +0000 (00:48 +0100)]
Import release 0.07
Stephen Early [Sun, 23 Sep 2001 20:49:00 +0000 (21:49 +0100)]
Import release 0.06
Stephen Early [Sun, 23 Sep 2001 17:30:00 +0000 (18:30 +0100)]
Import release 0.05
Stephen Early [Sun, 23 Sep 2001 15:28:00 +0000 (16:28 +0100)]
Import release 0.04
Stephen Early [Wed, 19 Sep 2001 23:24:00 +0000 (00:24 +0100)]
Import release 0.03
~ianmdlvl / secnet.git / log