CHANGES | 1 + dht-bootstrap.c | 72 +++++++++++++++++++++++++++++------------------------ diff --git a/CHANGES b/CHANGES index 1af4ef3d166f1c1195a92ebf8322ddde49942729..d54f227682f81da8e8676ac2b88e5e433f4f59cb 100644 --- a/CHANGES +++ b/CHANGES @@ -3,6 +3,7 @@ * Ability to explicitly specify IP addresses to bind to * select() replaced with poll() * arc4random instead of /dev/urandom reading + * Some simple hardening 20 November 2011: dht-bootstrap-0.2 diff --git a/dht-bootstrap.c b/dht-bootstrap.c index eef8b06884657f982a2aa518912bc524d11cef70..e8c0b2c7bd87dc7bc40359e4f8223af248cf006c 100644 --- a/dht-bootstrap.c +++ b/dht-bootstrap.c @@ -20,6 +20,7 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ +#include #include #include #include @@ -29,6 +30,7 @@ #include #include #include #include +#include #include #include #include @@ -139,16 +141,14 @@ static int token_bucket_tokens; static FILE *dht_debug = NULL; -#ifdef __GNUC__ -__attribute__((format(printf, 1, 2))) -#endif static void debugf(const char *format, ...) { + if (dht_debug == NULL) + return; va_list args; va_start(args, format); - if (dht_debug) - vfprintf(dht_debug, format, args); + vfprintf(dht_debug, format, args); va_end(args); fflush(dht_debug); } @@ -369,32 +369,33 @@ memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_DGRAM; struct addrinfo *res = NULL; - int err = getaddrinfo(host, port, &hints, &res); - if (err != 0) { - fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(err)); - exit(1); - } + int rc = getaddrinfo(host, port, &hints, &res); + if (rc != 0) + err(EXIT_FAILURE, "getaddrinfo: %s\n", gai_strerror(rc)); int sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol); - if (sock == -1) { - perror("socket"); - exit(1); - } - if (bind(sock, res->ai_addr, res->ai_addrlen) != 0) { - perror("bind"); - exit(1); - } - int rc = fcntl(sock, F_GETFL, 0); - if (rc < 0) { - perror("F_GETFL"); - exit(1); - } + if (sock == -1) + err(EXIT_FAILURE, "socket()"); + if (bind(sock, res->ai_addr, res->ai_addrlen) != 0) + err(EXIT_FAILURE, "bind()"); + rc = fcntl(sock, F_GETFL, 0); + if (rc < 0) + err(EXIT_FAILURE, "F_GETFL"); rc = fcntl(sock, F_SETFL, (rc | O_NONBLOCK)); - if (rc < 0) { - perror("F_SETFL"); - exit(1); - } + if (rc < 0) + err(EXIT_FAILURE, "F_SETFL"); freeaddrinfo(res); return sock; +} + +static void +rlimited(int res) +{ + struct rlimit r; + r.rlim_cur = 0; + r.rlim_max = 0; + if (setrlimit(res, &r) == -1) { + err(EXIT_FAILURE, "can not setrlimit()"); + } } int @@ -460,10 +461,8 @@ hints.ai_family = AF_INET6; else if (dht_socket6 < 0) hints.ai_family |= AF_INET; rc = getaddrinfo(argv[i], argv[i + 1], &hints, &info); - if (rc != 0) { - fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(rc)); - exit(1); - } + if (rc != 0) + err(EXIT_FAILURE, "getaddrinfo: %s\n", gai_strerror(rc)); i++; if (i >= argc) @@ -489,6 +488,15 @@ fds[0].fd = dht_socket; fds[0].events = POLLIN; fds[1].fd = dht_socket6; fds[1].events = POLLIN; + + close(STDIN_FILENO); + if (quiet) + close(STDOUT_FILENO); + rlimited(RLIMIT_NPROC); + rlimited(RLIMIT_FSIZE); +#if __FreeBSD__ + rlimited(RLIMIT_NOFILE); +#endif // __FreeBSD__ while (1) { int tv_sec = 0; @@ -696,7 +704,7 @@ } usage: fprintf(stderr, "dht-bootstrap [-q] [-4 ADDR4] [-6 ADDR6] port [node port...]\n"); - exit(1); + exit(EXIT_FAILURE); } /* We could use a proper bencoding printer and parser, but the format of