| blob | ce3646cd64882b3bcbb7f95503f682846d0263dc |
1 /* Copyright (c) 2003, Roger Dingledine
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2015, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
6 /**
7 * \file util.c
8 * \brief Common functions for strings, IO, network, data structures,
9 * process control.
10 **/
12 /* This is required on rh7 to make strptime not complain.
13 */
14 #define _GNU_SOURCE
17 #ifdef HAVE_FCNTL_H
18 #include <fcntl.h>
19 #endif
20 #define UTIL_PRIVATE
32 #ifdef _WIN32
33 #include <io.h>
34 #include <direct.h>
35 #include <process.h>
36 #include <tchar.h>
37 #include <winbase.h>
38 #else
39 #include <dirent.h>
40 #include <pwd.h>
41 #include <grp.h>
42 #endif
44 /* math.h needs this on Linux */
45 #ifndef _USE_ISOC99_
46 #define _USE_ISOC99_ 1
47 #endif
48 #include <math.h>
49 #include <stdlib.h>
50 #include <stdio.h>
51 #include <string.h>
52 #include <assert.h>
53 #include <signal.h>
55 #ifdef HAVE_NETINET_IN_H
56 #include <netinet/in.h>
57 #endif
58 #ifdef HAVE_ARPA_INET_H
59 #include <arpa/inet.h>
60 #endif
61 #ifdef HAVE_ERRNO_H
62 #include <errno.h>
63 #endif
64 #ifdef HAVE_SYS_SOCKET_H
65 #include <sys/socket.h>
66 #endif
67 #ifdef HAVE_SYS_TIME_H
68 #include <sys/time.h>
69 #endif
70 #ifdef HAVE_UNISTD_H
71 #include <unistd.h>
72 #endif
73 #ifdef HAVE_SYS_STAT_H
74 #include <sys/stat.h>
75 #endif
76 #ifdef HAVE_SYS_FCNTL_H
77 #include <sys/fcntl.h>
78 #endif
79 #ifdef HAVE_TIME_H
80 #include <time.h>
81 #endif
82 #ifdef HAVE_MALLOC_MALLOC_H
83 #include <malloc/malloc.h>
84 #endif
85 #ifdef HAVE_MALLOC_H
86 #if !defined(OPENBSD) && !defined(__FreeBSD__)
87 /* OpenBSD has a malloc.h, but for our purposes, it only exists in order to
88 * scold us for being so stupid as to autodetect its presence. To be fair,
89 * they've done this since 1996, when autoconf was only 5 years old. */
90 #include <malloc.h>
91 #endif
92 #endif
93 #ifdef HAVE_MALLOC_NP_H
94 #include <malloc_np.h>
95 #endif
96 #ifdef HAVE_SYS_WAIT_H
97 #include <sys/wait.h>
98 #endif
99 #if defined(HAVE_SYS_PRCTL_H) && defined(__linux__)
100 #include <sys/prctl.h>
101 #endif
103 #ifdef __clang_analyzer__
104 #undef MALLOC_ZERO_WORKS
105 #endif
107 /* =====
108 * Assertion helper.
109 * ===== */
110 /** Helper for tor_assert: report the assertion failure. */
111 void
114 {
122 }
124 /* =====
125 * Memory management
126 * ===== */
127 #ifdef USE_DMALLOC
128 #undef strndup
129 #include <dmalloc.h>
130 /* Macro to pass the extra dmalloc args to another function. */
131 #define DMALLOC_FN_ARGS , file, line
133 #if defined(HAVE_DMALLOC_STRDUP)
134 /* the dmalloc_strdup should be fine as defined */
135 #elif defined(HAVE_DMALLOC_STRNDUP)
136 #define dmalloc_strdup(file, line, string, xalloc_b) \
137 dmalloc_strndup(file, line, (string), -1, xalloc_b)
138 #else
140 #endif
144 #define DMALLOC_FN_ARGS
145 #endif
147 /** Allocate a chunk of <b>size</b> bytes of memory, and return a pointer to
148 * result. On error, log and terminate the process. (Same as malloc(size),
149 * but never returns NULL.)
150 *
151 * <b>file</b> and <b>line</b> are used if dmalloc is enabled, and
152 * ignored otherwise.
153 */
156 {
161 #ifndef MALLOC_ZERO_WORKS
162 /* Some libc mallocs don't work when size==0. Override them. */
165 }
166 #endif
168 #ifdef USE_DMALLOC
170 #else
172 #endif
176 /* If these functions die within a worker process, they won't call
177 * spawn_exit, but that's ok, since the parent will run out of memory soon
178 * anyway. */
180 }
182 }
184 /** Allocate a chunk of <b>size</b> bytes of memory, fill the memory with
185 * zero bytes, and return a pointer to the result. Log and terminate
186 * the process on error. (Same as calloc(size,1), but never returns NULL.)
187 */
190 {
191 /* You may ask yourself, "wouldn't it be smart to use calloc instead of
192 * malloc+memset? Perhaps libc's calloc knows some nifty optimization trick
193 * we don't!" Indeed it does, but its optimizations are only a big win when
194 * we're allocating something very big (it knows if it just got the memory
195 * from the OS in a pre-zeroed state). We don't want to use tor_malloc_zero
196 * for big stuff, so we don't bother with calloc. */
200 }
202 /* The square root of SIZE_MAX + 1. If a is less than this, and b is less
203 * than this, then a*b is less than SIZE_MAX. (For example, if size_t is
204 * 32 bits, then SIZE_MAX is 0xffffffff and this value is 0x10000. If a and
205 * b are less than this, then their product is at most (65535*65535) ==
206 * 0xfffe0001. */
207 #define SQRT_SIZE_MAX_P1 (((size_t)1) << (sizeof(size_t)*4))
209 /** Return non-zero if and only if the product of the arguments is exact. */
212 {
213 /* This first check is equivalent to
214 (x < SQRT_SIZE_MAX_P1 && y < SQRT_SIZE_MAX_P1)
216 Rationale: if either one of x or y is >= SQRT_SIZE_MAX_P1, then it
217 will have some bit set in its most significant half.
218 */
222 }
224 /** Allocate a chunk of <b>nmemb</b>*<b>size</b> bytes of memory, fill
225 * the memory with zero bytes, and return a pointer to the result.
226 * Log and terminate the process on error. (Same as
227 * calloc(<b>nmemb</b>,<b>size</b>), but never returns NULL.)
228 * The second argument (<b>size</b>) should preferably be non-zero
229 * and a compile-time constant.
230 */
233 {
236 }
238 /** Change the size of the memory block pointed to by <b>ptr</b> to <b>size</b>
239 * bytes long; return the new memory block. On error, log and
240 * terminate. (Like realloc(ptr,size), but never returns NULL.)
241 */
244 {
249 #ifndef MALLOC_ZERO_WORKS
250 /* Some libc mallocs don't work when size==0. Override them. */
253 }
254 #endif
256 #ifdef USE_DMALLOC
258 #else
260 #endif
265 }
267 }
269 /**
270 * Try to realloc <b>ptr</b> so that it takes up sz1 * sz2 bytes. Check for
271 * overflow. Unlike other allocation functions, return NULL on overflow.
272 */
275 {
276 /* XXXX we can make this return 0, but we would need to check all the
277 * reallocarray users. */
281 }
283 /** Return a newly allocated copy of the NUL-terminated string s. On
284 * error, log and terminate. (Like strdup(s), but never returns
285 * NULL.)
286 */
289 {
293 #ifdef USE_DMALLOC
295 #else
297 #endif
301 }
303 }
305 /** Allocate and return a new string containing the first <b>n</b>
306 * characters of <b>s</b>. If <b>s</b> is longer than <b>n</b>
307 * characters, only the first <b>n</b> are copied. The result is
308 * always NUL-terminated. (Like strndup(s,n), but never returns
309 * NULL.)
310 */
313 {
318 /* Performance note: Ordinarily we prefer strlcpy to strncpy. But
319 * this function gets called a whole lot, and platform strncpy is
320 * much faster than strlcpy when strlen(s) is much longer than n.
321 */
325 }
327 /** Allocate a chunk of <b>len</b> bytes, with the same contents as the
328 * <b>len</b> bytes starting at <b>mem</b>. */
331 {
338 }
340 /** As tor_memdup(), but add an extra 0 byte at the end of the resulting
341 * memory. */
344 {
352 }
354 /** Helper for places that need to take a function pointer to the right
355 * spelling of "free()". */
356 void
358 {
360 }
362 /** Call the platform malloc info function, and dump the results to the log at
363 * level <b>severity</b>. If no such function exists, do nothing. */
364 void
366 {
367 #ifdef HAVE_MALLINFO
372 "mallinfo() said: arena=%d, ordblks=%d, smblks=%d, hblks=%d, "
373 "hblkhd=%d, usmblks=%d, fsmblks=%d, uordblks=%d, fordblks=%d, "
378 #else
380 #endif
381 #ifdef USE_DMALLOC
386 );
387 #endif
388 }
390 /* =====
391 * Math
392 * ===== */
394 /**
395 * Returns the natural logarithm of d base e. We defined this wrapper here so
396 * to avoid conflicts with old versions of tor_log(), which were named log().
397 */
398 double
400 {
402 }
404 /** Return the long integer closest to <b>d</b>. We define this wrapper
405 * here so that not all users of math.h need to use the right incantations
406 * to get the c99 functions. */
407 long
409 {
410 #if defined(HAVE_LROUND)
412 #elif defined(HAVE_RINT)
414 #else
416 #endif
417 }
419 /** Return the 64-bit integer closest to d. We define this wrapper here so
420 * that not all users of math.h need to use the right incantations to get the
421 * c99 functions. */
422 int64_t
424 {
425 #if defined(HAVE_LLROUND)
427 #elif defined(HAVE_RINT)
429 #else
431 #endif
432 }
434 /** Returns floor(log2(u64)). If u64 is 0, (incorrectly) returns 0. */
435 int
437 {
442 }
446 }
450 }
454 }
458 }
462 }
464 }
466 /** Return the power of 2 in range [1,UINT64_MAX] closest to <b>u64</b>. If
467 * there are two powers of 2 equally close, round down. */
468 uint64_t
470 {
486 else
488 }
490 /** Return the lowest x such that x is at least <b>number</b>, and x modulo
491 * <b>divisor</b> == 0. If no such x can be expressed as an unsigned, return
492 * UINT_MAX */
493 unsigned
495 {
502 }
504 /** Return the lowest x such that x is at least <b>number</b>, and x modulo
505 * <b>divisor</b> == 0. If no such x can be expressed as a uint32_t, return
506 * UINT32_MAX */
507 uint32_t
509 {
517 }
519 /** Return the lowest x such that x is at least <b>number</b>, and x modulo
520 * <b>divisor</b> == 0. If no such x can be expressed as a uint64_t, return
521 * UINT64_MAX */
522 uint64_t
524 {
531 }
533 /** Return the lowest x in [INT64_MIN, INT64_MAX] such that x is at least
534 * <b>number</b>, and x modulo <b>divisor</b> == 0. If no such x can be
535 * expressed as an int64_t, return INT64_MAX */
536 int64_t
538 {
546 }
548 /** Transform a random value <b>p</b> from the uniform distribution in
549 * [0.0, 1.0[ into a Laplace distributed value with location parameter
550 * <b>mu</b> and scale parameter <b>b</b>. Truncate the final result
551 * to be an integer in [INT64_MIN, INT64_MAX]. */
552 int64_t
554 {
558 /* This is the "inverse cumulative distribution function" from:
559 * http://en.wikipedia.org/wiki/Laplace_distribution */
561 /* Avoid taking log(0.0) == -INFINITY, as some processors or compiler
562 * options can cause the program to trap. */
564 }
570 }
572 /** Add random noise between INT64_MIN and INT64_MAX coming from a Laplace
573 * distribution with mu = 0 and b = <b>delta_f</b>/<b>epsilon</b> to
574 * <b>signal</b> based on the provided <b>random</b> value in [0.0, 1.0[.
575 * The epsilon value must be between ]0.0, 1.0]. delta_f must be greater
576 * than 0. */
577 int64_t
580 {
583 /* epsilon MUST be between ]0.0, 1.0] */
585 /* delta_f MUST be greater than 0. */
588 /* Just add noise, no further signal */
591 random);
593 /* Clip (signal + noise) to [INT64_MIN, INT64_MAX] */
598 else
600 }
602 /** Return the number of bits set in <b>v</b>. */
603 int
605 {
623 };
626 }
628 /* =====
629 * String manipulation
630 * ===== */
632 /** Remove from the string <b>s</b> every character which appears in
633 * <b>strip</b>. */
634 void
636 {
643 }
644 }
646 }
648 /** Return a pointer to a NUL-terminated hexadecimal string encoding
649 * the first <b>fromlen</b> bytes of <b>from</b>. (fromlen must be \<= 32.) The
650 * result does not need to be deallocated, but repeated calls to
651 * hex_str will trash old results.
652 */
655 {
661 }
663 /** Convert all alphabetic characters in the nul-terminated string <b>s</b> to
664 * lowercase. */
665 void
667 {
671 }
672 }
674 /** Convert all alphabetic characters in the nul-terminated string <b>s</b> to
675 * lowercase. */
676 void
678 {
682 }
683 }
685 /** Return 1 if every character in <b>s</b> is printable, else return 0.
686 */
687 int
689 {
693 s++;
694 }
696 }
698 /** Return 1 if no character in <b>s</b> is uppercase, else return 0.
699 */
700 int
702 {
706 s++;
707 }
709 }
711 /** As strcmp, except that either string may be NULL. The NULL string is
712 * considered to be before any non-NULL string. */
713 int
715 {
719 else
725 }
726 }
728 /** Compares the first strlen(s2) characters of s1 with s2. Returns as for
729 * strcmp.
730 */
731 int
733 {
736 }
738 /** Compare the s1_len-byte string <b>s1</b> with <b>s2</b>,
739 * without depending on a terminating nul in s1. Sorting order is first by
740 * length, then lexically; return values are as for strcmp.
741 */
742 int
744 {
751 }
753 /** Compares the first strlen(s2) characters of s1 with s2. Returns as for
754 * strcasecmp.
755 */
756 int
758 {
761 }
763 /** Compares the last strlen(s2) characters of s1 with s2. Returns as for
764 * strcmp.
765 */
766 int
768 {
772 else
774 }
776 /** Compares the last strlen(s2) characters of s1 with s2. Returns as for
777 * strcasecmp.
778 */
779 int
781 {
785 else
787 }
789 /** Compare the value of the string <b>prefix</b> with the start of the
790 * <b>memlen</b>-byte memory chunk at <b>mem</b>. Return as for strcmp.
791 *
792 * [As fast_memcmp(mem, prefix, strlen(prefix)) but returns -1 if memlen is
793 * less than strlen(prefix).]
794 */
795 int
798 {
803 }
805 /** Return a pointer to the first char of s that is not whitespace and
806 * not a comment, or to the terminating NUL if no such character exists.
807 */
810 {
828 }
829 }
830 }
832 /** Return a pointer to the first char of s that is not whitespace and
833 * not a comment, or to the terminating NUL if no such character exists.
834 */
837 {
856 }
857 }
859 }
861 /** Return a pointer to the first char of s that is not a space or a tab
862 * or a \\r, or to the terminating NUL if no such character exists. */
865 {
869 }
871 /** As eat_whitespace_no_nl, but stop at <b>eos</b> whether we have
872 * found a non-whitespace character or not. */
875 {
879 }
881 /** Return a pointer to the first char of s that is whitespace or <b>#</b>,
882 * or to the terminating NUL if no such character exists.
883 */
886 {
887 /* tor_assert(s); */
890 {
900 }
901 }
902 }
904 /** As find_whitespace, but stop at <b>eos</b> whether we have found a
905 * whitespace or not. */
908 {
909 /* tor_assert(s); */
912 {
922 }
923 }
925 }
927 /** Return the first occurrence of <b>needle</b> in <b>haystack</b> that
928 * occurs at the start of a line (that is, at the beginning of <b>haystack</b>
929 * or immediately after a newline). Return NULL if no such string is found.
930 */
933 {
943 else
948 }
950 /** Returns true if <b>string</b> could be a C identifier.
951 A C identifier must begin with a letter or an underscore and the
952 rest of its characters can be letters, numbers or underscores. No
953 length limit is imposed. */
954 int
956 {
972 }
973 }
976 }
978 /** Return true iff the 'len' bytes at 'mem' are all zero. */
979 int
981 {
984 };
986 /* It's safe to use fast_memcmp here, since the very worst thing an
987 * attacker could learn is how many initial bytes of a secret were zero */
992 }
993 /* Deal with leftover bytes. */
998 }
1000 /** Return true iff the DIGEST_LEN bytes in digest are all zero. */
1001 int
1003 {
1006 };
1008 }
1010 /** Return true if <b>string</b> is a valid 'key=[value]' string.
1011 * "value" is optional, to indicate the empty string. Log at logging
1012 * <b>severity</b> if something ugly happens. */
1013 int
1015 {
1016 /* position of equal sign in string */
1025 }
1031 }
1033 /* validate that the '=' is not in the beginning of the string. */
1038 }
1041 }
1043 /** Return true if <b>string</b> represents a valid IPv4 adddress in
1044 * 'a.b.c.d' form.
1045 */
1046 int
1048 {
1052 }
1054 /** Return true if <b>string</b> represents a valid IPv6 address in
1055 * a form that inet_pton() can parse.
1056 */
1057 int
1059 {
1063 }
1065 /** Return true iff <b>string</b> matches a pattern of DNS names
1066 * that we allow Tor clients to connect to.
1067 *
1068 * Note: This allows certain technically invalid characters ('_') to cope
1069 * with misconfigured zones that have been encountered in the wild.
1070 */
1071 int
1073 {
1085 }
1087 /* Allow a single terminating '.' used rarely to indicate domains
1088 * are FQDNs rather than relative. */
1091 }
1098 c++;
1099 else
1112 }
1114 /** Return true iff the DIGEST256_LEN bytes in digest are all zero. */
1115 int
1117 {
1119 }
1121 /* Helper: common code to check whether the result of a strtol or strtoul or
1122 * strtoll is correct. */
1123 #define CHECK_STRTOX_RESULT() \
1125 if (errno == ERANGE) \
1126 goto err; \
1128 if (endptr == s) \
1129 goto err; \
1131 if (!next && *endptr) \
1132 goto err; \
1134 if (r < min || r > max) \
1135 goto err; \
1136 if (ok) *ok = 1; \
1137 if (next) *next = endptr; \
1138 return r; \
1139 err: \
1140 if (ok) *ok = 0; \
1141 if (next) *next = endptr; \
1142 return 0
1144 /** Extract a long from the start of <b>s</b>, in the given numeric
1145 * <b>base</b>. If <b>base</b> is 0, <b>s</b> is parsed as a decimal,
1146 * octal, or hex number in the syntax of a C integer literal. If
1147 * there is unconverted data and <b>next</b> is provided, set
1148 * *<b>next</b> to the first unconverted character. An error has
1149 * occurred if no characters are converted; or if there are
1150 * unconverted characters and <b>next</b> is NULL; or if the parsed
1151 * value is not between <b>min</b> and <b>max</b>. When no error
1152 * occurs, return the parsed value and set *<b>ok</b> (if provided) to
1153 * 1. When an error occurs, return 0 and set *<b>ok</b> (if provided)
1154 * to 0.
1155 */
1156 long
1159 {
1167 }
1172 }
1174 /** As tor_parse_long(), but return an unsigned long. */
1175 unsigned long
1178 {
1186 }
1191 }
1193 /** As tor_parse_long(), but return a double. */
1194 double
1196 {
1203 }
1205 /** As tor_parse_long, but return a uint64_t. Only base 10 is guaranteed to
1206 * work for now. */
1207 uint64_t
1210 {
1218 }
1221 #ifdef HAVE_STRTOULL
1223 #elif defined(_WIN32)
1224 #if defined(_MSC_VER) && _MSC_VER < 1300
1230 #else
1232 #endif
1233 #elif SIZEOF_LONG == 8
1235 #else
1237 #endif
1240 }
1242 /** Allocate and return a new string representing the contents of <b>s</b>,
1243 * surrounded by quotes and using standard C escapes.
1244 *
1245 * Generally, we use this for logging values that come in over the network to
1246 * keep them from tricking users, and for sending certain values to the
1247 * controller.
1248 *
1249 * We trust values from the resolver, OS, configuration file, and command line
1250 * to not be maliciously ill-formed. We validate incoming routerdescs and
1251 * SOCKS requests and addresses from BEGIN cells as they're parsed;
1252 * afterwards, we trust them as non-malicious.
1253 */
1256 {
1262 }
1277 else
1280 }
1281 }
1288 /* This assertion should always succeed, since we will write at least
1289 * one char here, and two chars for closing quote and nul later */
1317 }
1319 }
1320 }
1327 }
1329 /** Similar to esc_for_log. Allocate and return a new string representing
1330 * the first n characters in <b>chars</b>, surround by quotes and using
1331 * standard C escapes. If a NUL character is encountered in <b>chars</b>,
1332 * the resulting string will be terminated there.
1333 */
1336 {
1341 }
1343 /** Allocate and return a new string representing the contents of <b>s</b>,
1344 * surrounded by quotes and using standard C escapes.
1345 *
1346 * THIS FUNCTION IS NOT REENTRANT. Don't call it from outside the main
1347 * thread. Also, each call invalidates the last-returned value, so don't
1348 * try log_warn(LD_GENERAL, "%s %s", escaped(a), escaped(b));
1349 */
1352 {
1358 else
1362 }
1364 /** Return a newly allocated string equal to <b>string</b>, except that every
1365 * character in <b>chars_to_escape</b> is preceded by a backslash. */
1368 {
1379 /* (new_length > SIZE_MAX) => ((length * 2) + 1 > SIZE_MAX) =>
1380 (length*2 > SIZE_MAX - 1) => (length > (SIZE_MAX - 1)/2) */
1384 /* this should be enough even if all characters must be escaped */
1394 }
1399 }
1401 /* =====
1402 * Time
1403 * ===== */
1405 /** Return the number of microseconds elapsed between *start and *end.
1406 */
1407 long
1409 {
1417 }
1421 }
1423 /** Return the number of milliseconds elapsed between *start and *end.
1424 */
1425 long
1427 {
1435 }
1437 /* Subtract and round */
1441 }
1443 /**
1444 * Converts timeval to milliseconds.
1445 */
1446 int64_t
1448 {
1450 /* Round ghetto-style */
1453 }
1455 /** Yield true iff <b>y</b> is a leap-year. */
1456 #define IS_LEAPYEAR(y) (!(y % 4) && ((y % 100) || !(y % 400)))
1457 /** Helper: Return the number of leap-days between Jan 1, y1 and Jan 1, y2. */
1458 static int
1460 {
1464 }
1465 /** Number of days per month in non-leap year; used by tor_timegm and
1466 * parse_rfc1123_time. */
1470 /** Compute a time_t given a struct tm. The result is given in UTC, and
1471 * does not account for leap seconds. Return 0 on success, -1 on failure.
1472 */
1473 int
1475 {
1476 /* This is a pretty ironclad timegm implementation, snarfed from Python2.2.
1477 * It's way more brute-force than fiddling with tzset().
1478 */
1481 /* avoid int overflow on addition */
1485 /* clamp year */
1487 }
1494 }
1496 /* invalid month - default to 0 days per month */
1498 }
1508 }
1521 }
1523 /* strftime is locale-specific, so we need to replace those parts */
1525 /** A c-locale array of 3-letter names of weekdays, starting with Sun. */
1528 /** A c-locale array of 3-letter names of months, starting with Jan. */
1533 /** Set <b>buf</b> to the RFC1123 encoding of the UTC value of <b>t</b>.
1534 * The buffer must be at least RFC1123_TIME_LEN+1 bytes long.
1535 *
1536 * (RFC1123 format is "Fri, 29 Sep 2006 15:54:20 GMT". Note the "GMT"
1537 * rather than "UTC".)
1538 */
1539 void
1541 {
1553 }
1555 /** Parse the (a subset of) the RFC1123 encoding of some time (in UTC) from
1556 * <b>buf</b>, and store the result in *<b>t</b>.
1557 *
1558 * Note that we only accept the subset generated by format_rfc1123_time above,
1559 * not the full range of formats suggested by RFC 1123.
1560 *
1561 * Return 0 on success, -1 on failure.
1562 */
1563 int
1565 {
1583 }
1590 }
1591 }
1597 }
1605 }
1613 }
1626 }
1630 }
1632 /** Set <b>buf</b> to the ISO8601 encoding of the local value of <b>t</b>.
1633 * The buffer must be at least ISO_TIME_LEN+1 bytes long.
1634 *
1635 * (ISO8601 format is 2006-10-29 10:57:20)
1636 */
1637 void
1639 {
1642 }
1644 /** Set <b>buf</b> to the ISO8601 encoding of the GMT value of <b>t</b>.
1645 * The buffer must be at least ISO_TIME_LEN+1 bytes long.
1646 */
1647 void
1649 {
1652 }
1654 /** As format_iso_time, but use the yyyy-mm-ddThh:mm:ss format to avoid
1655 * embedding an internal space. */
1656 void
1658 {
1661 }
1663 /** As format_iso_time_nospace, but include microseconds in decimal
1664 * fixed-point format. Requires that buf be at least ISO_TIME_USEC_LEN+1
1665 * bytes long. */
1666 void
1668 {
1672 }
1674 /** Given an ISO-formatted UTC time value (after the epoch) in <b>cp</b>,
1675 * parse it and store its value in *<b>t</b>. Return 0 on success, -1 on
1676 * failure. Ignore extraneous stuff in <b>cp</b> after the end of the time
1677 * string, unless <b>strict</b> is set. */
1678 int
1680 {
1692 }
1699 }
1712 }
1714 }
1716 /** Given an ISO-formatted UTC time value (after the epoch) in <b>cp</b>,
1717 * parse it and store its value in *<b>t</b>. Return 0 on success, -1 on
1718 * failure. Reject the string if any characters are present after the time.
1719 */
1720 int
1722 {
1724 }
1726 /** Given a <b>date</b> in one of the three formats allowed by HTTP (ugh),
1727 * parse it into <b>tm</b>. Return 0 on success, negative on failure. */
1728 int
1730 {
1740 /* First, try RFC1123 or RFC850 format: skip the weekday. */
1749 /* rfc1123-date */
1754 /* rfc850-date */
1757 }
1759 /* No comma; possibly asctime() format. */
1766 }
1767 }
1775 /* Okay, now decode the month. */
1776 /* set tm->tm_mon to dummy value so the check below fails. */
1781 }
1782 }
1793 }
1795 /** Given an <b>interval</b> in seconds, try to write it to the
1796 * <b>out_len</b>-byte buffer in <b>out</b> in a human-readable form.
1797 * Return 0 on success, -1 on failure.
1798 */
1799 int
1801 {
1802 /* We only report seconds if there's no hours. */
1805 /* -LONG_MIN is LONG_MAX + 1, which causes signed overflow */
1814 }
1818 }
1822 }
1834 }
1835 }
1837 /* =====
1838 * Cached time
1839 * ===== */
1841 #ifndef TIME_IS_FAST
1842 /** Cached estimate of the current time. Updated around once per second;
1843 * may be a few seconds off if we are really busy. This is a hack to avoid
1844 * calling time(NULL) (which not everybody has optimized) on critical paths.
1845 */
1848 /** Return a cached estimate of the current time from when
1849 * update_approx_time() was last called. This is a hack to avoid calling
1850 * time(NULL) on critical paths: please do not even think of calling it
1851 * anywhere else. */
1852 time_t
1854 {
1856 }
1858 /** Update the cached estimate of the current time. This function SHOULD be
1859 * called once per second, and MUST be called before the first call to
1860 * get_approx_time. */
1861 void
1863 {
1865 }
1866 #endif
1868 /* =====
1869 * Rate limiting
1870 * ===== */
1872 /** If the rate-limiter <b>lim</b> is ready at <b>now</b>, return the number
1873 * of calls to rate_limit_is_ready (including this one!) since the last time
1874 * rate_limit_is_ready returned nonzero. Otherwise return 0. */
1875 static int
1877 {
1886 }
1887 }
1889 /** If the rate-limiter <b>lim</b> is ready at <b>now</b>, return a newly
1890 * allocated string indicating how many messages were suppressed, suitable to
1891 * append to a log message. Otherwise return NULL. */
1894 {
1905 }
1908 }
1909 }
1911 /* =====
1912 * File helpers
1913 * ===== */
1915 /** Write <b>count</b> bytes from <b>buf</b> to <b>fd</b>. <b>isSocket</b>
1916 * must be 1 if fd was returned by socket() or accept(), and 0 if fd
1917 * was returned by open(). Return the number of bytes written, or -1
1918 * on error. Only use if fd is a blocking fd. */
1919 ssize_t
1921 {
1923 ssize_t result;
1929 else
1934 }
1936 }
1938 /** Read from <b>fd</b> to <b>buf</b>, until we get <b>count</b> bytes
1939 * or reach the end of the file. <b>isSocket</b> must be 1 if fd
1940 * was returned by socket() or accept(), and 0 if fd was returned by
1941 * open(). Return the number of bytes read, or -1 on error. Only use
1942 * if fd is a blocking fd. */
1943 ssize_t
1945 {
1947 ssize_t result;
1952 }
1957 else
1964 }
1966 }
1968 /*
1969 * Filesystem operations.
1970 */
1972 /** Clean up <b>name</b> so that we can use it in a call to "stat". On Unix,
1973 * we do nothing. On Windows, we remove a trailing slash, unless the path is
1974 * the root of a disk. */
1975 static void
1977 {
1978 #ifdef _WIN32
1986 }
1987 #else
1989 #endif
1990 }
1992 /** Return:
1993 * FN_ERROR if filename can't be read, is NULL, or is zero-length,
1994 * FN_NOENT if it doesn't exist,
1995 * FN_FILE if it is a non-empty regular file, or a FIFO on unix-like systems,
1996 * FN_EMPTY for zero-byte regular files,
1997 * FN_DIR if it's a directory, and
1998 * FN_ERROR for any other file type.
1999 * On FN_ERROR and FN_NOENT, sets errno. (errno is not set when FN_ERROR
2000 * is returned due to an unhandled file type.) */
2001 file_status_t
2003 {
2009 }
2018 }
2020 }
2030 }
2031 #ifndef _WIN32
2034 #endif
2037 }
2038 }
2040 /** Check whether <b>dirname</b> exists and is private. If yes return 0. If
2041 * it does not exist, and <b>check</b>&CPD_CREATE is set, try to create it
2042 * and return 0 on success. If it does not exist, and
2043 * <b>check</b>&CPD_CHECK, and we think we can create it, return 0. Else
2044 * return -1. If CPD_GROUP_OK is set, then it's okay if the directory
2045 * is group-readable, but in all cases we create the directory mode 0700.
2046 * If CPD_GROUP_READ is set, existing directory behaves as CPD_GROUP_OK and
2047 * if the directory is created it will use mode 0750 with group read
2048 * permission. Group read privileges also assume execute permission
2049 * as norm for directories. If CPD_CHECK_MODE_ONLY is set, then we don't
2050 * alter the directory permissions if they are too permissive:
2051 * we just return -1.
2052 * When effective_user is not NULL, check permissions against the given user
2053 * and its primary group.
2054 */
2055 int
2058 {
2062 #ifndef _WIN32
2065 uid_t running_uid;
2066 gid_t running_gid;
2067 #else
2069 #endif
2082 }
2085 #if defined (_WIN32)
2087 #else
2092 }
2093 #endif
2098 }
2102 }
2103 /* XXXX In the case where check==CPD_CHECK, we should look at the
2104 * parent directory a little harder. */
2106 }
2110 }
2111 #ifndef _WIN32
2113 /* Look up the user and group information.
2114 * If we have a problem, bail out. */
2118 effective_user);
2120 }
2126 }
2144 }
2160 }
2165 }
2170 dirname);
2172 }
2178 }
2186 }
2187 }
2188 #endif
2190 }
2192 /** Create a file named <b>fname</b> with the contents <b>str</b>. Overwrite
2193 * the previous <b>fname</b> if possible. Return 0 on success, -1 on failure.
2194 *
2195 * This function replaces the old file atomically, if possible. This
2196 * function, and all other functions in util.c that create files, create them
2197 * with mode 0600.
2198 */
2199 int
2201 {
2202 #ifdef _WIN32
2207 }
2208 #endif
2210 }
2212 /** Represents a file that we're writing to, with support for atomic commit:
2213 * we can write into a temporary file, and either remove the file on
2214 * failure, or replace the original file on success. */
2222 };
2224 /** Try to start writing to the file in <b>fname</b>, passing the flags
2225 * <b>open_flags</b> to the open() syscall, creating the file (if needed) with
2226 * access value <b>mode</b>. If the O_APPEND flag is set, we append to the
2227 * original file. Otherwise, we open a new temporary file in the same
2228 * directory, and either replace the original or remove the temporary file
2229 * when we're done.
2230 *
2231 * Return the fd for the newly opened file, and store working data in
2232 * *<b>data_out</b>. The caller should not close the fd manually:
2233 * instead, call finish_writing_to_file() or abort_writing_to_file().
2234 * Returns -1 on failure.
2235 *
2236 * NOTE: When not appending, the flags O_CREAT and O_TRUNC are treated
2237 * as true and the flag O_EXCL is treated as false.
2238 *
2239 * NOTE: Ordinarily, O_APPEND means "seek to the end of the file before each
2240 * write()". We don't do that.
2241 */
2242 int
2245 {
2252 #if (O_BINARY != 0 && O_TEXT != 0)
2254 #endif
2265 /* We always replace an existing temporary file if there is one. */
2269 }
2270 #if O_BINARY != 0
2273 #endif
2280 }
2286 }
2287 }
2293 err:
2301 }
2303 /** Given <b>file_data</b> from start_writing_to_file(), return a stdio FILE*
2304 * that can be used to write to the same file. The caller should not mix
2305 * stdio calls with non-stdio calls. */
2308 {
2317 }
2319 }
2321 /** Combines start_writing_to_file with fdopen_file(): arguments are as
2322 * for start_writing_to_file, but */
2326 {
2333 }
2335 }
2337 /** Helper function: close and free the underlying file and memory in
2338 * <b>file_data</b>. If we were writing into a temporary file, then delete
2339 * that file (if abort_write is true) or replaces the target file with
2340 * the temporary file (if abort_write is false). */
2341 static int
2343 {
2352 }
2357 }
2364 /* We couldn't unlink and we'll leave a mess behind */
2368 }
2375 }
2376 }
2377 }
2384 }
2386 /** Finish writing to <b>file_data</b>: close the file handle, free memory as
2387 * needed, and if using a temporary file, replace the original file with
2388 * the temporary file. */
2389 int
2391 {
2393 }
2395 /** Finish writing to <b>file_data</b>: close the file handle, free memory as
2396 * needed, and if using a temporary file, delete it. */
2397 int
2399 {
2401 }
2403 /** Helper: given a set of flags as passed to open(2), open the file
2404 * <b>fname</b> and write all the sized_chunk_t structs in <b>chunks</b> to
2405 * the file. Do so as atomically as possible e.g. by opening temp files and
2406 * renaming. */
2407 static int
2410 {
2413 ssize_t result;
2418 {
2424 }
2426 });
2429 err:
2432 }
2434 /** Given a smartlist of sized_chunk_t, write them to a file
2435 * <b>fname</b>, overwriting or creating the file as necessary.
2436 * If <b>no_tempfile</b> is 0 then the file will be written
2437 * atomically. */
2438 int
2441 {
2445 /* O_APPEND stops write_chunks_to_file from using tempfiles */
2447 }
2449 }
2451 /** Write <b>len</b> bytes, starting at <b>str</b>, to <b>fname</b>
2452 using the open() flags passed in <b>flags</b>. */
2453 static int
2456 {
2464 }
2466 /** As write_str_to_file, but does not assume a NUL-terminated
2467 * string. Instead, we write <b>len</b> bytes, starting at <b>str</b>. */
2471 {
2474 }
2476 /** As write_bytes_to_file, but if the file already exists, append the bytes
2477 * to the end of the file instead of overwriting it. */
2478 int
2481 {
2484 }
2486 /** Like write_str_to_file(), but also return -1 if there was a file
2487 already residing in <b>fname</b>. */
2488 int
2491 {
2493 OPEN_FLAGS_DONT_REPLACE|
2495 }
2497 /**
2498 * Read the contents of the open file <b>fd</b> presuming it is a FIFO
2499 * (or similar) file descriptor for which the size of the file isn't
2500 * known ahead of time. Return NULL on failure, and a NUL-terminated
2501 * string on success. On success, set <b>sz_out</b> to the number of
2502 * bytes read.
2503 */
2506 {
2507 ssize_t r;
2515 }
2518 /* XXXX This "add 1K" approach is a little goofy; if we care about
2519 * performance here, we should be doubling. But in practice we shouldn't
2520 * be using this function on big files anyway. */
2531 }
2540 }
2542 /** Read the contents of <b>filename</b> into a newly allocated
2543 * string; return the string on success or NULL on failure.
2544 *
2545 * If <b>stat_out</b> is provided, store the result of stat()ing the
2546 * file into <b>stat_out</b>.
2547 *
2548 * If <b>flags</b> & RFTS_BIN, open the file in binary mode.
2549 * If <b>flags</b> & RFTS_IGNORE_MISSING, don't warn if the file
2550 * doesn't exist.
2551 */
2552 /*
2553 * This function <em>may</em> return an erroneous result if the file
2554 * is modified while it is running, but must not crash or overflow.
2555 * Right now, the error case occurs when the file length grows between
2556 * the call to stat and the call to read_all: the resulting string will
2557 * be truncated.
2558 */
2561 {
2565 ssize_t r;
2580 }
2588 }
2590 #ifndef _WIN32
2591 /** When we detect that we're reading from a FIFO, don't read more than
2592 * this many bytes. It's insane overkill for most uses. */
2593 #define FIFO_READ_MAX (1024*1024)
2601 }
2606 }
2607 #endif
2613 }
2626 }
2629 #if defined(_WIN32) || defined(__CYGWIN__)
2633 filename);
2636 }
2640 #endif
2642 /* Unless we're using text mode on win32, we'd better have an exact
2643 * match for size. */
2651 }
2655 }
2658 }
2662 /** Given a c-style double-quoted escaped string in <b>s</b>, extract and
2663 * decode its contents into a newly allocated string. On success, assign this
2664 * string to *<b>result</b>, assign its length to <b>size_out</b> (if
2665 * provided), and return a pointer to the position in <b>s</b> immediately
2666 * after the string. On failure, return NULL.
2667 */
2670 {
2697 }
2702 }
2703 }
2704 end_of_loop:
2709 {
2720 {
2725 {
2733 }
2737 }
2741 {
2748 }
2759 }
2763 }
2764 }
2765 }
2767 /** Given a string containing part of a configuration file or similar format,
2768 * advance past comments and whitespace and try to parse a single line. If we
2769 * parse a line successfully, set *<b>key_out</b> to a new string holding the
2770 * key portion and *<b>value_out</b> to a new string holding the value portion
2771 * of the line, and return a pointer to the start of the next line. If we run
2772 * out of data, return a pointer to the end of the string. If we encounter an
2773 * error, return NULL and set *<b>err_out</b> (if provided) to an error
2774 * message.
2775 */
2780 {
2781 /*
2782 See torrc_format.txt for a description of the (silly) format this parses.
2783 */
2792 /* Skip until the first keyword. */
2801 }
2802 }
2807 }
2809 /* Skip until the next space or \ followed by newline. */
2816 /* Skip until the value. */
2822 /* Find the end of the line. */
2828 }
2835 }
2837 /* Look for the end of the line. */
2850 }
2851 }
2857 }
2858 /* Now back cp up to be the last nonspace character */
2864 /* Now copy out and decode the value. */
2880 }
2881 }
2883 }
2884 }
2890 }
2894 }
2896 /** Expand any homedir prefix on <b>filename</b>; return a newly allocated
2897 * string. */
2900 {
2902 #ifdef _WIN32
2904 #else
2917 }
2920 #ifdef HAVE_PWD_H
2925 else
2931 }
2934 #else
2937 #endif
2938 }
2940 /* Remove trailing slash. */
2943 }
2949 }
2950 #endif
2951 }
2953 #define MAX_SCANF_WIDTH 9999
2955 /** Helper: given an ASCII-encoded decimal digit, return its numeric value.
2956 * NOTE: requires that its input be in-bounds. */
2957 static int
2959 {
2963 }
2965 /** Helper: Read an unsigned int from *<b>bufp</b> of up to <b>width</b>
2966 * characters. (Handle arbitrary width if <b>width</b> is less than 0.) On
2967 * success, store the result in <b>out</b>, advance bufp to the next
2968 * character, and return 0. On failure, return -1. */
2969 static int
2971 {
2984 // Check for overflow beforehand, without actually causing any overflow
2985 // This preserves functionality on compilers that don't wrap overflow
2986 // (i.e. that trap or optimise away overflow)
2987 // result * base + digit > ULONG_MAX
2988 // result * base > ULONG_MAX - digit
2993 }
3000 }
3002 /** Helper: Read an signed int from *<b>bufp</b> of up to <b>width</b>
3003 * characters. (Handle arbitrary width if <b>width</b> is less than 0.) On
3004 * success, store the result in <b>out</b>, advance bufp to the next
3005 * character, and return 0. On failure, return -1. */
3006 static int
3008 {
3021 }
3029 // Avoid overflow on the cast to signed long when result is LONG_MIN
3030 // by subtracting 1 from the unsigned long positive value,
3031 // then, after it has been cast to signed and negated,
3032 // subtracting the original 1 (the double-subtraction is intentional).
3033 // Otherwise, the cast to signed could cause a temporary long
3034 // to equal LONG_MAX + 1, which is undefined.
3035 // We avoid underflow on the subtraction by treating -0 as positive.
3041 }
3044 }
3046 /** Helper: Read a decimal-formatted double from *<b>bufp</b> of up to
3047 * <b>width</b> characters. (Handle arbitrary width if <b>width</b> is less
3048 * than 0.) On success, store the result in <b>out</b>, advance bufp to the
3049 * next character, and return 0. On failure, return -1. */
3050 static int
3052 {
3065 }
3071 }
3081 }
3083 }
3090 }
3092 /** Helper: copy up to <b>width</b> non-space characters from <b>bufp</b> to
3093 * <b>out</b>. Make sure <b>out</b> is nul-terminated. Advance <b>bufp</b>
3094 * to the next non-space character or the EOS. */
3095 static int
3097 {
3104 }
3107 }
3109 /** Locale-independent, minimal, no-surprises scanf variant, accepting only a
3110 * restricted pattern format. For more info on what it supports, see
3111 * tor_sscanf() documentation. */
3112 int
3114 {
3125 }
3137 }
3140 }
3144 }
3160 }
3185 }
3218 }
3219 }
3220 }
3223 }
3225 /** Minimal sscanf replacement: parse <b>buf</b> according to <b>pattern</b>
3226 * and store the results in the corresponding argument fields. Differs from
3227 * sscanf in that:
3228 * <ul><li>It only handles %u, %lu, %x, %lx, %[NUM]s, %d, %ld, %lf, and %c.
3229 * <li>It only handles decimal inputs for %lf. (12.3, not 1.23e1)
3230 * <li>It does not handle arbitrarily long widths.
3231 * <li>Numbers do not consume any space characters.
3232 * <li>It is locale-independent.
3233 * <li>%u and %x do not consume any space.
3234 * <li>It returns -1 on malformed patterns.</ul>
3235 *
3236 * (As with other locale-independent functions, we need this to parse data that
3237 * is in ASCII without worrying that the C library's locale-handling will make
3238 * miscellaneous characters look like numbers, spaces, and so on.)
3239 */
3240 int
3242 {
3249 }
3251 /** Append the string produced by tor_asprintf(<b>pattern</b>, <b>...</b>)
3252 * to <b>sl</b>. */
3253 void
3255 {
3260 }
3262 /** va_list-based backend of smartlist_add_asprintf. */
3263 void
3266 {
3273 }
3275 /** Return a new list containing the filenames in the directory <b>dirname</b>.
3276 * Return NULL on error or if <b>dirname</b> is not a directory.
3277 */
3278 smartlist_t *
3280 {
3282 #ifdef _WIN32
3286 HANDLE handle;
3287 WIN32_FIND_DATA findData;
3289 #ifdef UNICODE
3291 #else
3293 #endif
3297 }
3300 #ifdef UNICODE
3303 #else
3305 #endif
3309 }
3311 DWORD err;
3316 }
3318 }
3319 }
3322 #else
3335 }
3337 #endif
3339 }
3341 /** Return true iff <b>filename</b> is a relative path. */
3342 int
3344 {
3347 #ifdef _WIN32
3353 #endif
3354 else
3356 }
3358 /* =====
3359 * Process helpers
3360 * ===== */
3362 #ifndef _WIN32
3363 /* Based on code contributed by christian grothoff */
3364 /** True iff we've called start_daemon(). */
3366 /** True iff we've called finish_daemon(). */
3368 /** Socketpair used to communicate between parent and child process while
3369 * daemonizing. */
3371 /** Start putting the process into daemon mode: fork and drop all resources
3372 * except standard fds. The parent process never returns, but stays around
3373 * until finish_daemon is called. (Note: it's safe to call this more
3374 * than once: calls after the first are ignored.)
3375 */
3376 void
3378 {
3379 pid_t pid;
3388 }
3393 }
3403 }
3407 else
3413 /*
3414 * Fork one more time, so the parent (the session group leader) can exit.
3415 * This means that we, as a non-session group leader, can never regain a
3416 * controlling terminal. This part is recommended by Stevens's
3417 * _Advanced Programming in the Unix Environment_.
3418 */
3421 }
3425 }
3426 }
3428 /** Finish putting the process into daemon mode: drop standard fds, and tell
3429 * the parent process to exit. (Note: it's safe to call this more than once:
3430 * calls after the first are ignored. Calls start_daemon first if it hasn't
3431 * been called already.)
3432 */
3433 void
3435 {
3446 /* Don't hold the wrong FS mounted */
3450 }
3456 }
3457 /* close fds linking to invoking terminal, but
3458 * close usual incoming fds, but redirect them somewhere
3459 * useful so the fds don't get reallocated elsewhere.
3460 */
3466 }
3469 /* signal success */
3472 }
3474 }
3475 #else
3476 /* defined(_WIN32) */
3477 void
3479 {
3480 }
3481 void
3483 {
3485 }
3486 #endif
3488 /** Write the current process ID, followed by NL, into <b>filename</b>.
3489 */
3490 void
3492 {
3499 #ifdef _WIN32
3501 #else
3503 #endif
3505 }
3506 }
3508 #ifdef _WIN32
3509 HANDLE
3511 {
3520 }
3521 #endif
3523 /** Format a single argument for being put on a Windows command line.
3524 * Returns a newly allocated string */
3527 {
3533 /* Backslash we can point to when one is inserted into the string */
3536 /* Smartlist of *char */
3540 /* Quote string if it contains whitespace or is empty */
3543 /* Build up smartlist of *chars */
3546 /* Double up backslashes preceding a quote */
3550 /* Escape the quote */
3554 /* Count backslashes until we know whether to double up */
3555 bs_counter++;
3557 /* Don't double up slashes preceding a non-quote */
3562 }
3563 }
3564 /* Don't double up trailing backslashes */
3568 /* Allocate space for argument, quotes (if needed), and terminator */
3573 /* Add leading quote */
3578 /* Add characters */
3580 {
3582 });
3584 /* Add trailing quote */
3591 }
3593 /** Format a command line for use on Windows, which takes the command as a
3594 * string rather than string array. Follows the rules from "Parsing C++
3595 * Command-Line Arguments" in MSDN. Algorithm based on list2cmdline in the
3596 * Python subprocess module. Returns a newly allocated string */
3599 {
3604 /* Format each argument and put the result in a smartlist */
3608 }
3610 /* Join the arguments with whitespace */
3613 /* Free the newly allocated arguments, and the smartlist */
3615 {
3617 });
3621 }
3623 /* As format_{hex,dex}_number_sigsafe, but takes a <b>radix</b> argument
3624 * in range 2..16 inclusive. */
3625 static int
3628 {
3633 /* NOT tor_assert. This needs to be safe to run from within a signal handler,
3634 * and from within the 'tor_assert() has failed' code. */
3638 /* Count how many digits we need. */
3644 }
3646 /* Not long enough */
3660 /* NOT tor_assert; see above. */
3663 }
3666 }
3668 /**
3669 * Helper function to output hex numbers from within a signal handler.
3670 *
3671 * Writes the nul-terminated hexadecimal digits of <b>x</b> into a buffer
3672 * <b>buf</b> of size <b>buf_len</b>, and return the actual number of digits
3673 * written, not counting the terminal NUL.
3674 *
3675 * If there is insufficient space, write nothing and return 0.
3676 *
3677 * This accepts an unsigned int because format_helper_exit_status() needs to
3678 * call it with a signed int and an unsigned char, and since the C standard
3679 * does not guarantee that an int is wider than a char (an int must be at
3680 * least 16 bits but it is permitted for a char to be that wide as well), we
3681 * can't assume a signed int is sufficient to accomodate an unsigned char.
3682 * Thus, format_helper_exit_status() will still need to emit any require '-'
3683 * on its own.
3684 *
3685 * For most purposes, you'd want to use tor_snprintf("%x") instead of this
3686 * function; it's designed to be used in code paths where you can't call
3687 * arbitrary C functions.
3688 */
3689 int
3691 {
3693 }
3695 /** As format_hex_number_sigsafe, but format the number in base 10. */
3696 int
3698 {
3700 }
3702 #ifndef _WIN32
3703 /** Format <b>child_state</b> and <b>saved_errno</b> as a hex string placed in
3704 * <b>hex_errno</b>. Called between fork and _exit, so must be signal-handler
3705 * safe.
3706 *
3707 * <b>hex_errno</b> must have at least HEX_ERRNO_SIZE+1 bytes available.
3708 *
3709 * The format of <b>hex_errno</b> is: "CHILD_STATE/ERRNO\n", left-padded
3710 * with spaces. CHILD_STATE indicates where
3711 * in the processs of starting the child process did the failure occur (see
3712 * CHILD_STATE_* macros for definition), and SAVED_ERRNO is the value of
3713 * errno when the failure occurred.
3714 *
3715 * On success return the number of characters added to hex_errno, not counting
3716 * the terminating NUL; return -1 on error.
3717 */
3718 STATIC int
3721 {
3728 /* Fill hex_errno with spaces, and a trailing newline (memset may
3729 not be signal handler safe, so we can't use it) */
3734 /* Convert errno to be unsigned for hex conversion */
3736 // Avoid overflow on the cast to unsigned int when result is INT_MIN
3737 // by adding 1 to the signed int negative value,
3738 // then, after it has been negated and cast to unsigned,
3739 // adding the original 1 back (the double-addition is intentional).
3740 // Otherwise, the cast to signed could cause a temporary int
3741 // to equal INT_MAX + 1, which is undefined.
3745 }
3747 /*
3748 * Count how many chars of space we have left, and keep a pointer into the
3749 * current point in the buffer.
3750 */
3754 /* Emit child_state */
3760 /* Adjust left and cur */
3766 /* Now the '/' */
3769 /* Adjust left and cur */
3775 /* Need minus? */
3782 }
3784 /* Emit unsigned_errno */
3790 /* Adjust left and cur */
3794 /* Check that we have enough space left for a newline and a NUL */
3798 /* Emit the newline and NUL */
3806 err:
3807 /*
3808 * In error exit, just write a '\0' in the first char so whatever called
3809 * this at least won't fall off the end.
3810 */
3813 done:
3815 }
3816 #endif
3818 /* Maximum number of file descriptors, if we cannot get it via sysconf() */
3819 #define DEFAULT_MAX_FD 256
3821 /** Terminate the process of <b>process_handle</b>.
3822 * Code borrowed from Python's os.kill. */
3823 int
3825 {
3826 #ifdef _WIN32
3832 else
3834 }
3837 /* We haven't got a waitpid yet, so we can just kill off the process. */
3839 }
3840 #endif
3843 }
3845 /** Return the Process ID of <b>process_handle</b>. */
3846 int
3848 {
3849 #ifdef _WIN32
3851 #else
3853 #endif
3854 }
3856 #ifdef _WIN32
3857 HANDLE
3859 {
3861 }
3862 #else
3863 /* DOCDOC tor_process_get_stdout_pipe */
3866 {
3868 }
3869 #endif
3871 /* DOCDOC process_handle_new */
3874 {
3877 #ifdef _WIN32
3881 #else
3885 #endif
3888 }
3890 #ifndef _WIN32
3891 /** Invoked when a process that we've launched via tor_spawn_background() has
3892 * been found to have terminated.
3893 */
3894 static void
3896 {
3904 }
3905 #endif
3907 /**
3908 * @name child-process states
3909 *
3910 * Each of these values represents a possible state that a child process can
3911 * be in. They're used to determine what to say when telling the parent how
3912 * far along we were before failure.
3913 *
3914 * @{
3915 */
3916 #define CHILD_STATE_INIT 0
3917 #define CHILD_STATE_PIPE 1
3918 #define CHILD_STATE_MAXFD 2
3919 #define CHILD_STATE_FORK 3
3920 #define CHILD_STATE_DUPOUT 4
3921 #define CHILD_STATE_DUPERR 5
3922 #define CHILD_STATE_DUPIN 6
3923 #define CHILD_STATE_CLOSEFD 7
3924 #define CHILD_STATE_EXEC 8
3925 #define CHILD_STATE_FAILEXEC 9
3926 /** @} */
3927 /** Start a program in the background. If <b>filename</b> contains a '/', then
3928 * it will be treated as an absolute or relative path. Otherwise, on
3929 * non-Windows systems, the system path will be searched for <b>filename</b>.
3930 * On Windows, only the current directory will be searched. Here, to search the
3931 * system path (as well as the application directory, current working
3932 * directory, and system directories), set filename to NULL.
3933 *
3934 * The strings in <b>argv</b> will be passed as the command line arguments of
3935 * the child program (following convention, argv[0] should normally be the
3936 * filename of the executable, and this must be the case if <b>filename</b> is
3937 * NULL). The last element of argv must be NULL. A handle to the child process
3938 * will be returned in process_handle (which must be non-NULL). Read
3939 * process_handle.status to find out if the process was successfully launched.
3940 * For convenience, process_handle.status is returned by this function.
3941 *
3942 * Some parts of this code are based on the POSIX subprocess module from
3943 * Python, and example code from
3944 * http://msdn.microsoft.com/en-us/library/ms682499%28v=vs.85%29.aspx.
3945 */
3946 int
3950 {
3951 #ifdef _WIN32
3961 STARTUPINFOA siStartInfo;
3964 SECURITY_ATTRIBUTES saAttr;
3969 /* TODO: should we set explicit security attributes? (#2046, comment 5) */
3972 /* Assume failure to start process */
3975 /* Set up pipe for stdout */
3981 }
3984 "Failed to configure pipe for stdout communication with child "
3987 }
3989 /* Set up pipe for stderr */
3995 }
3998 "Failed to configure pipe for stderr communication with child "
4001 }
4003 /* Set up pipe for stdin */
4009 }
4012 "Failed to configure pipe for stdin communication with child "
4015 }
4017 /* Create the child process */
4019 /* Windows expects argv to be a whitespace delimited string, so join argv up
4020 */
4034 /* Create the child process */
4038 /* TODO: should we set explicit security attributes? (#2046, comment 5) */
4042 /*(TODO: set CREATE_NEW CONSOLE/PROCESS_GROUP to make GetExitCodeProcess()
4043 * work?) */
4058 /* TODO: Close hProcess and hThread in process_handle->pid? */
4063 }
4065 /* TODO: Close pipes on exit */
4069 pid_t pid;
4074 ssize_t nbytes;
4081 /* Represents where in the process of spawning the program is;
4082 this is used for printing out the error message */
4091 /* We do the strlen here because strlen() is not signal handler safe,
4092 and we are not allowed to use unsafe functions between fork and exec */
4097 /* Set up pipe for redirecting stdout, stderr, and stdin of child */
4104 }
4116 }
4130 }
4134 #ifdef _SC_OPEN_MAX
4141 }
4142 }
4143 #else
4145 #endif
4151 /* In child */
4153 #if defined(HAVE_SYS_PRCTL_H) && defined(__linux__)
4154 /* Attempt to have the kernel issue a SIGTERM if the parent
4155 * goes away. Certain attributes of the binary being execve()ed
4156 * will clear this during the execve() call, but it's better
4157 * than nothing.
4158 */
4160 #endif
4164 /* Link child stdout to the write end of the pipe */
4171 /* Link child stderr to the write end of the pipe */
4178 /* Link child stdin to the read end of the pipe */
4192 /* Close all other fds, including the read end of the pipe */
4193 /* XXX: We should now be doing enough FD_CLOEXEC setting to make
4194 * this needless. */
4197 }
4201 /* Call the requested program. We need the cast because
4202 execvp doesn't define argv as const, even though it
4203 does not modify the arguments */
4209 }
4211 /* If we got here, the exec or open(/dev/null) failed */
4215 error:
4216 {
4217 /* XXX: are we leaking fds from the pipe? */
4223 /* Write the error message. GCC requires that we check the return
4224 value, but there is nothing we can do if it fails */
4225 /* TODO: Don't use STDOUT, use a pipe set up just for this purpose */
4228 }
4229 }
4234 /* Never reached, but avoids compiler warning */
4236 }
4238 /* In parent */
4249 }
4255 /* TODO: If the child process forked but failed to exec, waitpid it */
4257 /* Return read end of the pipes to caller, and close write end */
4265 }
4268 process_handle_waitpid_cb,
4269 process_handle);
4278 }
4280 /* Return write end of the stdin pipe to caller, and close the read end */
4288 }
4291 /* Set stdin/stdout/stderr pipes to be non-blocking */
4297 }
4298 /* Open the buffered IO streams */
4306 }
4308 /** Destroy all resources allocated by the process handle in
4309 * <b>process_handle</b>.
4310 * If <b>also_terminate_process</b> is true, also terminate the
4311 * process of the process handle. */
4315 {
4322 #ifdef _WIN32
4324 #else
4326 #endif
4329 errstr);
4333 }
4334 }
4338 #ifdef _WIN32
4347 #else
4358 #endif
4362 }
4364 /** Get the exit code of a process specified by <b>process_handle</b> and store
4365 * it in <b>exit_code</b>, if set to a non-NULL value. If <b>block</b> is set
4366 * to true, the call will block until the process has exited. Otherwise if
4367 * the process is still running, the function will return
4368 * PROCESS_EXIT_RUNNING, and exit_code will be left unchanged. Returns
4369 * PROCESS_EXIT_EXITED if the process did exit. If there is a failure,
4370 * PROCESS_EXIT_ERROR will be returned and the contents of exit_code (if
4371 * non-NULL) will be undefined. N.B. Under *nix operating systems, this will
4372 * probably not work in Tor, because waitpid() is called in main.c to reap any
4373 * terminated child processes.*/
4374 int
4377 {
4378 #ifdef _WIN32
4379 DWORD retval;
4380 BOOL success;
4383 /* Wait for the process to exit */
4389 }
4393 /* Process has not exited */
4399 }
4400 }
4409 }
4410 }
4411 #else
4416 /* We haven't processed a SIGCHLD yet. */
4422 }
4424 /* We already got a SIGCHLD for this process, and handled it. */
4427 }
4430 /* Process has not exited */
4436 }
4442 }
4449 }
4451 /** Helper: return the number of characters in <b>s</b> preceding the first
4452 * occurrence of <b>ch</b>. If <b>ch</b> does not occur in <b>s</b>, return
4453 * the length of <b>s</b>. Should be equivalent to strspn(s, "ch"). */
4456 {
4460 else
4462 }
4464 /** Return non-zero iff getenv would consider <b>s1</b> and <b>s2</b>
4465 * to have the same name as strings in a process's environment. */
4466 int
4468 {
4474 }
4476 /** Free <b>env</b> (assuming it was produced by
4477 * process_environment_make). */
4478 void
4480 {
4483 /* As both an optimization hack to reduce consing on Unixoid systems
4484 * and a nice way to ensure that some otherwise-Windows-specific
4485 * code will always get tested before changes to it get merged, the
4486 * strings which env->unixoid_environment_block points to are packed
4487 * into env->windows_environment_block. */
4492 }
4494 /** Make a process_environment_t containing the environment variables
4495 * specified in <b>env_vars</b> (as C strings of the form
4496 * "NAME=VALUE"). */
4497 process_environment_t *
4499 {
4508 /* env->unixoid_environment_block is already NULL-terminated,
4509 * because we assume that NULL == 0 (and check that during compilation). */
4519 }
4522 /* env->windows_environment_block is already
4523 * (NUL-terminated-empty-string)-terminated. */
4525 /* Some versions of Windows supposedly require that environment
4526 * blocks be sorted. Or maybe some Windows programs (or their
4527 * runtime libraries) fail to look up strings in non-sorted
4528 * environment blocks.
4529 *
4530 * Also, sorting strings makes it easy to find duplicate environment
4531 * variables and environment-variable strings without an '=' on all
4532 * OSes, and they can cause badness. Let's complain about those. */
4537 /* Now copy the strings into the environment blocks. */
4538 {
4549 "Preparing an environment containing a variable "
4551 s);
4552 }
4556 "Preparing an environment containing two variables "
4559 }
4563 /* Actually copy the string into the environment. */
4567 }
4570 }
4575 }
4577 /** Return a newly allocated smartlist containing every variable in
4578 * this process's environment, as a NUL-terminated string of the form
4579 * "NAME=VALUE". Note that on some/many/most/all OSes, the parent
4580 * process can put strings not of that form in our environment;
4581 * callers should try to not get crashed by that.
4582 *
4583 * The returned strings are heap-allocated, and must be freed by the
4584 * caller. */
4587 {
4593 }
4596 }
4598 /** For each string s in <b>env_vars</b> such that
4599 * environment_variable_names_equal(s, <b>new_var</b>), remove it; if
4600 * <b>free_p</b> is non-zero, call <b>free_old</b>(s). If
4601 * <b>new_var</b> contains '=', insert it into <b>env_vars</b>. */
4602 void
4607 {
4613 }
4614 }
4619 }
4620 }
4622 #ifdef _WIN32
4623 /** Read from a handle <b>h</b> into <b>buf</b>, up to <b>count</b> bytes. If
4624 * <b>hProcess</b> is NULL, the function will return immediately if there is
4625 * nothing more to read. Otherwise <b>hProcess</b> should be set to the handle
4626 * to the process owning the <b>h</b>. In this case, the function will exit
4627 * only once the process has exited, or <b>count</b> bytes are read. Returns
4628 * the number of bytes read, or -1 on error. */
4629 ssize_t
4632 {
4634 BOOL retval;
4635 DWORD byte_count;
4642 /* Check if there is anything to read */
4650 /* Nothing available: process exited or it is busy */
4652 /* Exit if we don't know whether the process is running */
4656 /* The process exited and there's nothing left to read from it */
4660 /* If process is not running, check for output one more time in case
4661 it wrote something after the peek was performed. Otherwise keep on
4662 waiting for output */
4669 }
4671 /* There is data to read; read it */
4679 /* End of file */
4681 }
4683 }
4685 }
4686 #else
4687 /** Read from a handle <b>h</b> into <b>buf</b>, up to <b>count</b> bytes. If
4688 * <b>process</b> is NULL, the function will return immediately if there is
4689 * nothing more to read. Otherwise data will be read until end of file, or
4690 * <b>count</b> bytes are read. Returns the number of bytes read, or -1 on
4691 * error. Sets <b>eof</b> to true if <b>eof</b> is not NULL and the end of the
4692 * file has been reached. */
4693 ssize_t
4697 {
4708 /* Use fgets because that is what we use in log_from_pipe() */
4720 else
4726 }
4727 }
4728 }
4732 }
4736 }
4737 #endif
4739 /** Read from stdout of a process until the process exits. */
4740 ssize_t
4743 {
4744 #ifdef _WIN32
4746 process_handle);
4747 #else
4750 #endif
4751 }
4753 /** Read from stdout of a process until the process exits. */
4754 ssize_t
4757 {
4758 #ifdef _WIN32
4760 process_handle);
4761 #else
4764 #endif
4765 }
4767 /** Split buf into lines, and add to smartlist. The buffer <b>buf</b> will be
4768 * modified. The resulting smartlist will consist of pointers to buf, so there
4769 * is no need to free the contents of sl. <b>buf</b> must be a NUL-terminated
4770 * string. <b>len</b> should be set to the length of the buffer excluding the
4771 * NUL. Non-printable characters (including NUL) will be replaced with "." */
4772 int
4774 {
4775 /* Index in buf of the start of the current line */
4777 /* Index in buf of the current character being processed */
4779 /* Are we currently in a line */
4782 /* Loop over string */
4784 /* Loop until end of line or end of string */
4788 /* End of line */
4790 /* Point cur to the next line */
4791 cur++;
4792 /* Line starts at start and ends with a nul */
4797 }
4800 /* Skip leading vertical space */
4801 ;
4807 }
4808 }
4809 }
4810 /* We are at the end of the line or end of string. If in_line is true there
4811 * is a line which starts at buf+start and ends at a NUL. cur points to
4812 * the character after the NUL. */
4816 }
4818 }
4820 /** Return a string corresponding to <b>stream_status</b>. */
4823 {
4836 }
4837 }
4839 /* DOCDOC */
4840 static void
4843 {
4844 /* Parse error message */
4855 /* Failed to parse message from child process, log it as a
4856 warning */
4860 }
4861 }
4863 #ifdef _WIN32
4865 /** Return a smartlist containing lines outputted from
4866 * <b>handle</b>. Return NULL on error, and set
4867 * <b>stream_status_out</b> appropriately. */
4871 {
4884 }
4888 }
4890 /* End with a null even if there isn't a \r\n at the end */
4891 /* TODO: What if this is a partial line? */
4894 /* Split up the buffer */
4898 /* Currently 'lines' is populated with strings residing on the
4899 stack. Replace them with their exact copies on the heap: */
4906 }
4908 /** Read from stream, and send lines to log at the specified log level.
4909 * Returns -1 if there is a error reading, and 0 otherwise.
4910 * If the generated stream is flushed more often than on new lines, or
4911 * a read exceeds 256 bytes, lines will be truncated. This should be fixed,
4912 * along with the corresponding problem on *nix (see bug #2045).
4913 */
4914 static int
4916 {
4923 /* Error */
4926 }
4929 /* There's nothing to read (process is busy or has exited) */
4932 }
4934 /* End with a null even if there isn't a \r\n at the end */
4935 /* TODO: What if this is a partial line? */
4939 /* Split up the buffer */
4943 /* Log each line */
4945 {
4947 });
4951 }
4953 #else
4955 /** Return a smartlist containing lines outputted from
4956 * <b>handle</b>. Return NULL on error, and set
4957 * <b>stream_status_out</b> appropriately. */
4961 {
4976 }
4978 done:
4981 }
4983 /** Read from stream, and send lines to log at the specified log level.
4984 * Returns 1 if stream is closed normally, -1 if there is a error reading, and
4985 * 0 otherwise. Handles lines from tor-fw-helper and
4986 * tor_spawn_background() specially.
4987 */
4988 static int
4991 {
5004 }
5008 /* Check if buf starts with SPAWN_ERROR_MESSAGE */
5013 }
5014 }
5016 /* We should never get here */
5018 }
5019 #endif
5021 /** Reads from <b>stream</b> and stores input in <b>buf_out</b> making
5022 * sure it's below <b>count</b> bytes.
5023 * If the string has a trailing newline, we strip it off.
5024 *
5025 * This function is specifically created to handle input from managed
5026 * proxies, according to the pluggable transports spec. Make sure it
5027 * fits your needs before using it.
5028 *
5029 * Returns:
5030 * IO_STREAM_CLOSED: If the stream is closed.
5031 * IO_STREAM_EAGAIN: If there is nothing to read and we should check back
5032 * later.
5033 * IO_STREAM_TERM: If something is wrong with the stream.
5034 * IO_STREAM_OKAY: If everything went okay and we got a string
5035 * in <b>buf_out</b>. */
5036 enum stream_status
5038 {
5048 /* Program has closed stream (probably it exited) */
5049 /* TODO: check error */
5053 /* Nothing more to read, try again next time */
5056 /* There was a problem, abandon this child process */
5058 }
5059 }
5063 /* this probably means we got a NUL at the start of the string. */
5065 }
5068 /* Remove the trailing newline */
5071 /* No newline; check whether we overflowed the buffer */
5075 /* TODO: What to do with this error? */
5076 }
5079 }
5081 /* We should never get here */
5083 }
5085 /** Parse a <b>line</b> from tor-fw-helper and issue an appropriate
5086 * log message to our user. */
5087 static void
5089 {
5100 /* We need to check for SPAWN_ERROR_MESSAGE again here, since it's
5101 * possible that it got sent after we tried to read it in log_from_pipe.
5102 *
5103 * XXX Ideally, we should be using one of stdout/stderr for the real
5104 * output, and one for the output of the startup code. We used to do that
5105 * before cd05f35d2c.
5106 */
5110 }
5127 /* If there are more than 5 tokens, they are part of [<message>].
5128 Let's use a second smartlist to form the whole message;
5129 strncat loops suck. */
5139 /* wrap the message in log-friendly wrapping */
5143 }
5157 else
5162 "Please make sure that your router supports port "
5163 "forwarding protocols (like NAT-PMP). Note that if '%s' is "
5164 "your ORPort, your relay will be unable to receive inbound "
5167 internal_port);
5173 }
5177 err:
5181 done:
5186 }
5188 /** Read what tor-fw-helper has to say in its stdout and handle it
5189 * appropriately */
5190 static int
5193 {
5197 fw_helper_output =
5201 /* if EAGAIN we should retry in the future */
5203 }
5205 /* Handle the lines we got: */
5214 }
5216 /** Spawn tor-fw-helper and ask it to forward the ports in
5217 * <b>ports_to_forward</b>. <b>ports_to_forward</b> contains strings
5218 * of the form "<external port>:<internal port>", which is the format
5219 * that tor-fw-helper expects. */
5220 void
5224 {
5225 /* When fw-helper succeeds, how long do we wait until running it again */
5226 #define TIME_TO_EXEC_FWHELPER_SUCCESS 300
5227 /* When fw-helper failed to start, how long do we wait until running it again
5228 */
5229 #define TIME_TO_EXEC_FWHELPER_FAIL 60
5231 /* Static variables are initialized to zero, so child_handle.status=0
5232 * which corresponds to it not running on startup */
5241 /* Start the child, if it is not already running */
5244 /*tor-fw-helper cli looks like this: tor_fw_helper -p :5555 -p 4555:1111 */
5251 /* check for overflow during 'argv' allocation:
5252 (len(ports_to_forward)*2 + 2)*sizeof(char*) > SIZE_MAX ==
5253 len(ports_to_forward) > (((SIZE_MAX/sizeof(char*)) - 2)/2) */
5259 }
5260 /* check for overflow during 'argv_index' increase:
5261 ((len(ports_to_forward)*2 + 2) > INT_MAX) ==
5262 len(ports_to_forward) > (INT_MAX - 2)/2 */
5267 }
5269 /* Calculate number of cli arguments: one for the filename, two
5270 for each smartlist element (one for "-p" and one for the
5271 ports), and one for the final NULL. */
5282 /* Assume tor-fw-helper will succeed, start it later*/
5288 }
5290 #ifdef _WIN32
5291 /* Passing NULL as lpApplicationName makes Windows search for the .exe */
5293 #else
5295 #endif
5302 filename);
5305 }
5310 }
5312 /* If child is running, read from its stdout and stderr) */
5314 /* Read from stdout/stderr and log result */
5316 #ifdef _WIN32
5318 #else
5321 #endif
5326 }
5329 /* There was a problem in the child process */
5331 }
5333 /* Combine the two statuses in order of severity */
5335 /* There was a failure */
5337 #ifdef _WIN32
5339 PROCESS_EXIT_RUNNING) {
5340 /* process has exited or there was an error */
5341 /* TODO: Do something with the process return value */
5342 /* TODO: What if the process output something since
5343 * between log_from_handle and tor_get_exit_code? */
5345 }
5346 #else
5348 /* stdout or stderr was closed, the process probably
5349 * exited. It will be reaped by waitpid() in main.c */
5350 /* TODO: Do something with the process return value */
5352 #endif
5353 else
5354 /* Both are fine */
5357 /* If either pipe indicates a failure, act on it */
5365 }
5367 /* TODO: The child might not actually be finished (maybe it failed or
5368 closed stdout/stderr), so maybe we shouldn't start another? */
5369 }
5370 }
5371 }
5373 /** Initialize the insecure RNG <b>rng</b> from a seed value <b>seed</b>. */
5374 void
5376 {
5378 }
5380 /** Return a randomly chosen value in the range 0..TOR_WEAK_RANDOM_MAX based
5381 * on the RNG state of <b>rng</b>. This entropy will not be cryptographically
5382 * strong; do not rely on it for anything an adversary should not be able to
5383 * predict. */
5384 int32_t
5386 {
5387 /* Here's a linear congruential generator. OpenBSD and glibc use these
5388 * parameters; they aren't too bad, and should have maximal period over the
5389 * range 0..INT32_MAX. We don't want to use the platform rand() or random(),
5390 * since some platforms have bad weak RNGs that only return values in the
5391 * range 0..INT16_MAX, which just isn't enough. */
5394 }
5396 /** Return a random number in the range [0 , <b>top</b>). {That is, the range
5397 * of integers i such that 0 <= i < top.} Chooses uniformly. Requires that
5398 * top is greater than 0. This randomness is not cryptographically strong; do
5399 * not rely on it for anything an adversary should not be able to predict. */
5400 int32_t
5402 {
5403 /* We don't want to just do tor_weak_random() % top, since random() is often
5404 * implemented with an LCG whose modulus is a power of 2, and those are
5405 * cyclic in their low-order bits. */
5413 }
5415 /** Cast a given double value to a int64_t. Return 0 if number is NaN.
5416 * Returns either INT64_MIN or INT64_MAX if number is outside of the int64_t
5417 * range. */
5418 int64_t
5420 {
5423 /* NaN is a special case that can't be used with the logic below. */
5426 }
5428 /* Time to validate if result can overflows a int64_t value. Fun with
5429 * float! Find that exponent exp such that
5430 * number == x * 2^exp
5431 * for some x with abs(x) in [0.5, 1.0). Note that this implies that the
5432 * magnitude of number is strictly less than 2^exp.
5433 *
5434 * If number is infinite, the call to frexp is legal but the contents of
5435 * exp are unspecified. */
5438 /* If the magnitude of number is strictly less than 2^63, the truncated
5439 * version of number is guaranteed to be representable. The only
5440 * representable integer for which this is not the case is INT64_MIN, but
5441 * it is covered by the logic below. */
5444 }
5446 /* Handle infinities and finite numbers with magnitude >= 2^63. */
5448 }