Promote audit fixes F-23, F-31, F-32 to master#161
Merged
adequatelimited merged 6 commits intomasterfrom Apr 13, 2026
Merged
Conversation
…1-record read read_tfile() returns size_t but previously returned VERROR (==1) on fopen() failure, which is indistinguishable from a successful read of one trailer. Callers that check `!= 1` or `<= 0` silently accepted the error as success and continued with uninitialized buffer data on the consensus-critical paths (ng_val, contention, send_found). Return 0 on error instead. All existing callers already check `!= 1`, `<= 0`, or `!= NTFTX` which correctly detect 0. Also wire up the pre-existing TODO in send_found() to check count != NTFTX and exit the forked child on incomplete read. Unit test in src/test/tfile-read-error.c covers the three cases: missing file, partial read, and seek-past-EOF.
…eturn fix(tfile): read_tfile() returns 0 on error instead of 1 (F-23, #99)
get_hash() leaked np->sd on send_op() or recv_tx() failure: both early returns skipped sock_close(). Under repeated peer probing failures (common on unreachable or misbehaving peers) this exhausts the fd limit and prevents new outbound connections. Restructure with a single CLEANUP label so every exit path -- success, I/O failure, and malformed response -- closes the socket before returning. Matches the DROP_CLEANUP/ERROR_CLEANUP idiom used elsewhere in the codebase.
fix(network): close socket on every exit path in get_hash() (F-31, #117)
The while(count && ecode == VEOK) condition at sync.c:138 reads the shared count outside any OMP_CRITICAL_ section, while the two decrements are inside critical sections. Per the OpenMP memory model, the flush on critical-exit is not paired with an unsynchronized reader, so the read can observe stale cached values (or be a data race by C11; TSan will flag it). Shadow the parameter with a local `volatile word32 count = count_in`. volatile forces a memory read each iteration; combined with the writers' implicit flush on critical-exit, this establishes the needed happens-before. Same treatment applied to the analogous ecode read in tfile.c under F-10. Analyzed the underflow claim from the original issue and confirmed it is not reachable -- each thread's loop body decrements at most once before breaking. See github.com//issues/112 comment for the trace.
fix(sync): close data race on catchup() count read (F-32, #112)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Promotes three audit remediations from `audit-fixes` to `master`.
Contents
Test plan