[or-cvs] r9322: Add some defensive programming to eventdns.c in an attempt t (in tor/trunk: . src/or)

nickm at seul.org nickm at seul.org
Wed Jan 10 19:49:40 UTC 2007


Author: nickm
Date: 2007-01-10 14:49:21 -0500 (Wed, 10 Jan 2007)
New Revision: 9322

Modified:
   tor/trunk/
   tor/trunk/ChangeLog
   tor/trunk/src/or/eventdns.c
Log:
 r11919 at Kushana:  nickm | 2007-01-10 13:32:48 -0500
 Add some defensive programming to eventdns.c in an attempt to catch possible memory stomping bugs.



Property changes on: tor/trunk
___________________________________________________________________
 svk:merge ticket from /tor/trunk [r11919] on c95137ef-5f19-0410-b913-86e773d04f59

Modified: tor/trunk/ChangeLog
===================================================================
--- tor/trunk/ChangeLog	2007-01-10 19:49:11 UTC (rev 9321)
+++ tor/trunk/ChangeLog	2007-01-10 19:49:21 UTC (rev 9322)
@@ -3,6 +3,8 @@
     - When computing clock skew from directory HTTP headers, consider what
       time it was when we finished asking for the directory, not what time it
       is now.
+    - Add some defensive programming to eventdns.c in an attempt to catch
+      possible memory-stomping bugs.
 
 
 Changes in version 0.1.2.6-alpha - 2007-01-09

Modified: tor/trunk/src/or/eventdns.c
===================================================================
--- tor/trunk/src/or/eventdns.c	2007-01-10 19:49:11 UTC (rev 9321)
+++ tor/trunk/src/or/eventdns.c	2007-01-10 19:49:21 UTC (rev 9322)
@@ -130,7 +130,7 @@
 #define u64 uint64_t
 #define u32 uint32_t
 #define u16 uint16_t
-#define u8  uint8_t
+#define u8	uint8_t
 
 #define MAX_ADDRS 4	 // maximum number of addresses from a single packet
 // which we bother recording
@@ -141,6 +141,8 @@
 
 #define CLASS_INET	EVDNS_CLASS_INET
 
+#define CLEAR(x) do { memset((x), 0, sizeof(*(x))); } while(0)
+
 struct request {
 	u8 *request;  // the dns packet data
 	unsigned int request_len;
@@ -450,6 +452,7 @@
 nameserver_probe_failed(struct nameserver *const ns) {
 	const struct timeval * timeout;
 	(void) evtimer_del(&ns->timeout_event);
+	CLEAR(&ns->timeout_event);
 	if (ns->state == 1) {
 		// This can happen if the nameserver acts in a way which makes us mark
 		// it as bad and then starts sending good replies.
@@ -526,6 +529,7 @@
 	log(EVDNS_LOG_WARN, "Nameserver %s is back up",
 		debug_ntoa(ns->address));
 	evtimer_del(&ns->timeout_event);
+	CLEAR(&ns->timeout_event);
 	ns->state = 1;
 	ns->failed_times = 0;
 	ns->timedout = 0;
@@ -557,6 +561,7 @@
 	log(EVDNS_LOG_DEBUG, "Removing timeout for request %lx",
 		(unsigned long) req);
 	evtimer_del(&req->timeout_event);
+	CLEAR(&req->timeout_event);
 
 	search_request_finished(req);
 	global_requests_inflight--;
@@ -569,6 +574,7 @@
 		// so everything gets free()ed when we:
 	}
 
+	CLEAR(req);
 	free(req);
 
 	evdns_requests_pump_waiting_queue();
@@ -975,6 +981,7 @@
 				free(server_req->base.questions[i]);
 			free(server_req->base.questions);
 		}
+		CLEAR(server_req);
 		free(server_req);
 	}
 	return -1;
@@ -1136,6 +1143,7 @@
 
 	// We have no more pending requests; stop listening for 'writeable' events.
 	(void) event_del(&port->event);
+	CLEAR(&port->event);
 	event_set(&port->event, port->socket, EV_READ | EV_PERSIST,
 			  server_port_ready_callback, port);
 	if (event_add(&port->event, NULL) < 0) {
@@ -1153,6 +1161,7 @@
 
 	ns->write_waiting = waiting;
 	(void) event_del(&ns->event);
+	CLEAR(&ns->event);
 	event_set(&ns->event, ns->socket, EV_READ | (waiting ? EV_WRITE : 0) | EV_PERSIST,
 			  nameserver_ready_callback, ns);
 	if (event_add(&ns->event, NULL) < 0) {
@@ -1380,6 +1389,7 @@
 	struct evdns_server_port *port;
 	if (!(port = malloc(sizeof(struct evdns_server_port))))
 		return NULL;
+	memset(port, 0, sizeof(struct evdns_server_port));
 
 	assert(!is_tcp); // TCP sockets not yet implemented
 	port->socket = socket;
@@ -1438,8 +1448,10 @@
 	item = malloc(sizeof(struct server_reply_item));
 	if (!item)
 		return -1;
+	CLEAR(item);
 	item->next = NULL;
 	if (!(item->name = strdup(name))) {
+		CLEAR(item);
 		free(item);
 		return -1;
 	}
@@ -1453,6 +1465,7 @@
 		if (item->is_name) {
 			if (!(item->data = strdup(data))) {
 				free(item->name);
+				CLEAR(item);
 				free(item);
 				return -1;
 			}
@@ -1460,6 +1473,7 @@
 		} else {
 			if (!(item->data = malloc(datalen))) {
 				free(item->name);
+				CLEAR(item);
 				free(item);
 				return -1;
 			}
@@ -1650,6 +1664,7 @@
 			port->choked = 1;
 
 			(void) event_del(&port->event);
+			CLEAR(&port->event);
 			event_set(&port->event, port->socket, (port->closing?0:EV_READ) | EV_WRITE | EV_PERSIST, server_port_ready_callback, port);
 
 			if (event_add(&port->event, NULL) < 0) {
@@ -1689,6 +1704,7 @@
 			free(victim->name);
 			if (victim->data)
 				free(victim->data);
+			/* XXXX free(victim?) -NM */
 			victim = next;
 		}
 		*list = NULL;
@@ -1716,8 +1732,9 @@
 		rc = --req->port->refcnt;
 	}
 
-	if (req->response)
+	if (req->response) {
 		free(req->response);
+	}
 
 	server_request_free_answers(req);
 
@@ -1728,9 +1745,11 @@
 
 	if (rc == 0) {
 		server_port_free(req->port);
+		CLEAR(req);
 		free(req);
 		return (1);
 	}
+	CLEAR(req);
 	free(req);
 	return (0);
 }
@@ -1747,6 +1766,8 @@
 		port->socket = -1;
 	}
 	(void) event_del(&port->event);
+	CLEAR(&port->event);
+	// XXXX actually free the port? -NM
 }
 
 // exported function
@@ -1778,6 +1799,7 @@
 	}
 
 	(void) evtimer_del(&req->timeout_event);
+	CLEAR(&req->timeout_event);
 	if (req->tx_count >= global_max_retransmits) {
 		// this request has failed
 		reply_callback(req, 0, DNS_ERR_TIMEOUT, NULL);
@@ -1938,9 +1960,12 @@
 	while (1) {
 		struct nameserver *next = server->next;
 		(void) event_del(&server->event);
+		CLEAR(&server->event);
 		(void) evtimer_del(&server->timeout_event);
+		CLEAR(&server->timeout_event);
 		if (server->socket >= 0)
 			CLOSE_SOCKET(server->socket);
+		CLEAR(server);
 		free(server);
 		if (next == started_at)
 			break;
@@ -1955,6 +1980,7 @@
 		req->ns = NULL;
 		// ???? What to do about searches?
 		(void) evtimer_del(&req->timeout_event);
+		CLEAR(&req->timeout_event);
 		req->trans_id = 0;
 		req->transmit_me = 0;
 
@@ -2054,6 +2080,7 @@
 out2:
 	CLOSE_SOCKET(ns->socket);
 out1:
+	CLEAR(ns);
 	free(ns);
 	log(EVDNS_LOG_WARN, "Unable to add nameserver %s: error %d", debug_ntoa(address), err);
 	return err;
@@ -2130,6 +2157,7 @@
 
 	return req;
 err1:
+	CLEAR(req);
 	free(req);
 	return NULL;
 }
@@ -2258,8 +2286,10 @@
 		struct search_domain *next, *dom;
 		for (dom = state->head; dom; dom = next) {
 			next = dom->next;
+			CLEAR(dom);
 			free(dom);
 		}
+		CLEAR(state);
 		free(state);
 	}
 }
@@ -2363,7 +2393,7 @@
 			const u8 *const postfix = ((u8 *) dom) + sizeof(struct search_domain);
 			const int postfix_len = dom->len;
 			char *const newname = (char *) malloc(base_len + need_to_append_dot + postfix_len + 1);
-						if (!newname) return NULL;
+			if (!newname) return NULL;
 			memcpy(newname, base_name, base_len);
 			if (need_to_append_dot) newname[base_len] = '.';
 			memcpy(newname + base_len + need_to_append_dot, postfix, postfix_len);
@@ -2587,7 +2617,7 @@
 		const char *option;
 		while ((option = NEXT_TOKEN)) {
 			const char *val = strchr(option, ':');
-            evdns_set_option(option, val ? val+1 : "", flags);
+			evdns_set_option(option, val ? val+1 : "", flags);
 		}
 	}
 #undef NEXT_TOKEN
@@ -2649,7 +2679,7 @@
 	if (!server_head && (flags & DNS_OPTION_NAMESERVERS)) {
 		// no nameservers were configured.
 		evdns_nameserver_ip_add("127.0.0.1");
-        err = 6;
+		err = 6;
 	}
 	if (flags & DNS_OPTION_SEARCH && (!global_search_state || global_search_state->num_domains == 0)) {
 		search_set_from_hostname();
@@ -2911,6 +2941,7 @@
 		if (server->socket >= 0)
 			CLOSE_SOCKET(server->socket);
 		(void) event_del(&server->event);
+		CLEAR(server);
 		free(server);
 		if (server_next == server_head)
 			break;
@@ -2921,8 +2952,10 @@
 	if (global_search_state) {
 		for (dom = global_search_state->head; dom; dom = dom_next) {
 			dom_next = dom->next;
+			CLEAR(dom);
 			free(dom);
 		}
+		CLEAR(global_search_state);
 		free(global_search_state);
 		global_search_state = NULL;
 	}



More information about the tor-commits mailing list