- Move `struct NAT` from `toxcore/DHT.h` to `toxcore/DHT.c` to improve
encapsulation.
- Add `tcp_packet_type_to_string` and `tcp_packet_from_int` to
`toxcore/TCP_common` for better debug logs.
- Add `net_family_to_string` to `toxcore/net` for the same reason.
- Change length from `uint16_t` to `uint32_t` in `make_gc_handshake_packet`.
- Add explicit cast to `uint16_t` when calling `wrap_group_handshake_packet`.
This is a hardening measure. Currently, `MAX_SENT_GC_NODES` is 1, so the
length variable (`uint16_t`) cannot overflow. However, if this constant
were increased significantly in the future, the addition `length +=
nodes_size` could wrap around. This change eliminates that latent risk.
Move core networking types and the Network interface to net, and the
standard OS socket implementation to os_network. Update network to use
these new abstractions.
- Add `MpscQueue` for thread-safe task scheduling.
- Add `ToxRunner` to execute Tox instances in dedicated threads.
- Update `Simulation` to coordinate time steps across multiple runners using a synchronization barrier.
- Refactor `FakeMemory` and `FakeClock` to be thread-safe.
- Update `tox_network` helpers and tests to utilize the threaded runner infrastructure.
Update event generator to use mem_balloc/mem_delete for byte arrays in
events, ensuring consistency with Tox memory management. Also fix struct
initialization to use compound literals compliant with tokstyle.
Properly lock virtual clock access and snapshot synchronization to
address Coverity CIDs 1668069, 1668068, 1668067, 1668066. Use a separate
clock_mutex to avoid the need for recursive mutexes and ensure
portability.
Introduces a new testing support library 'testing/support' that provides
a clean, modular, and fully deterministic environment for testing
toxcore components.
Some clients might send the sanctions list signatures unsorted, which
causes the credentials hash validation to fail because the hash is
sensitive to the order of signatures.
This updates the validation logic to verify the credentials hash against
both the sorted (default) and unsorted signature list. If the sorted
check fails but the unsorted check succeeds, the credentials are
accepted.
When a peer processes a topic packet that matches the current topic lock
version, it typically accepts it. However, if this packet is a delayed
sync packet containing the *previous* topic, it causes the topic to
revert.
This commit adds a check in `handle_gc_topic_validate`. If the incoming
topic checksum matches the `topic_prev_checksum` (the checksum of the
topic before the current one) and the current topic was set recently
(within `GC_CONFIRMED_PEER_TIMEOUT`), we reject the update as a probable
sync error.
Added `auto_tests/scenarios/scenario_group_topic_revert_test.c` to
reproduce and verify the fix.
Replaces the use of the platform-specific `Network_Addr` in the public
`Network_Funcs` interface with the platform-independent `IP_Port`
struct, allowing higher-level abstractions (like simulated networks for
testing) to interact with the network layer without needing to depend on
or mock low-level OS socket headers.
- Fix a potential division by zero crash in `toxav/audio.c` when
`lp_sampling_rate` is 0.
- Fix unsafe hex string parsing in `bootstrap_daemon/config.c` that
could leave variables uninitialized (replacing `sscanf` with a safe
helper).
Also address various clang-tidy findings:
- Enforce const correctness and fix implicit bool conversions in
`toxav`.
- Sort includes in `toxav`.
Also add a bunch of casts where needed. I've tried to model everything
in such a way that it minimises casts. The casts *should* be safe, but
it's not always obvious. In the obvious cases, we should have a linter
that validates it. In the non-obvious cases, that linter should warn and
require that we add a null check. I've added some null checks in some
cases but not all.
Also, refactored some of the constructor functions to never assign a
maybe-null value to a non-null struct member, instead using a temporary
local variable to check if construction/allocation succeeded.
* DHT Routing: Fixed dual-stack handling to clear stale IPv4/IPv6 associations when a node's address updates.
* Performance: Switched to memcmp for public key/hash comparisons (safe for non-secrets).
* Group Chat Reliability:
* Added logic to use friend connection IPs as a fallback if DHT discovery is slow, with a fix to prevent overwriting existing valid IPs.
* Increased handshake connection limits and fixed full-group sync behavior.
* Enforced list sorting and fixed timestamps to ensure consistent moderation state hashes across all peers.
The `rtp_receive_packet` function (via `fill_data_into_slot`) relied on
the `data_length_full` field in the RTP header to allocate the frame
buffer, but failed to verify that the actual payload length of the
incoming packet fit within this allocated size. A malicious peer could
send a packet with a small `data_length_full` but a large payload,
causing `memcpy` to write past the end of the buffer.
This commit adds a bounds check to ensure that the packet offset plus
the payload length does not exceed the total frame length. Tested via
unit tests.
- Refactor MSISession to use a mandatory MSICallbacks struct in msi_new.
- Remove individual MSI callback setters to enforce full initialization.
- Fix doubly linked list corruption in new_call when reusing friend numbers.
- Fix missing capability updates and callback triggers during friend recall.
- Remove legacy toxav_hacks.h and clean up build files.
- Remove invalid vpx_img_free call in vc_iterate.
- Make vc_reconfigure_encoder atomic and add resolution limits.
- Support 32-bit RTPMessage lengths to correctly handle large frames.
- Ensure len is correctly set for assembled video frames.
- Add security checks for incoming frame sizes and resolutions.
- Significantly expand video and rtp unit tests covering security scenarios.
- Clean up VCSession structure and improve internal API consistency.
- Use #define for security constants in video module.
- Fix heap-buffer overflow in `ac_iterate` (PLC) by validating sampling rates and channel counts from untrusted RTP packets.
- Fix out-of-bounds read by adding explicit packet length validation (minimum 5 bytes).
- Fix jitter buffer reset bug where late packets caused a full buffer clear due to unsigned wrap-around.
- Fix jitter buffer PLC logic to correctly handle sequence number wrap-around at 16-bit boundaries.
- Refactor `ac_iterate` to process all currently ready packets in a single call, improving throughput.
- Optimize `ac_iterate` by moving the large scratch buffer allocation outside the packet processing loop.
- Add unit tests covering jitter buffer edge cases, wrap-around scenarios, and malicious packet handling.
- Refactor `ACSession` to be opaque and provide accessor for frame duration.
- Fix rate limiting logic to be wrap-around safe for timestamps.
- Fix potential division-by-zero/sum-overflow in percentage calculation by using double precision.
- Fix NULL callback dereference in send_update.
- Add comprehensive unit tests covering edge cases and bug scenarios.
- Refactor BWController to be more testable by injecting a packet sending callback.
The tox_log_level.h header file was added as a public API header in
version 0.2.21, but was not included in the libtoxcore_la_include_HEADERS
variable in toxcore/Makefile.inc. This caused the header to not be
installed when building with autotools, leading to compilation errors
for applications that include tox_options.h (which depends on
tox_log_level.h, like qTox).
This patch adds tox_log_level.h to the list of installed headers,
matching the behavior of the CMake build system.
Commit: c834472637
Fixes: compilation error "tox_log_level.h: No such file or directory"
Instead of transitively loading them from dependencies, we should be
explicit about what each object needs. The downside of this is that it's
not clear whether the object and its dependency use the same common
dependency. The upside is that we don't expose those getters of internal
dependencies.
iphydf