1. Forum
  2. Fidonet
  3. SYNC PROGRAMMING

  • src/sbbs3/websrvr.cpp

    From Rob Swindell (on Debian Linux)@1:103/705 to Git commit to main/sbbs/master on Wed May 6 19:41:53 2026
    https://gitlab.synchro.net/main/sbbs/-/commit/3ad3f0282bcff37fa1926121
    Modified Files:
    src/sbbs3/websrvr.cpp
    Log Message:
    websrvr: cast away two best-effort unchecked returns (CIDs 639932, 639941)

    CID 639932: remove(cleanup_file[i]) in close_request — best-effort
    cleanup of temporary request files; failure is benign.
    CID 639941: setsockopt(TCP_NODELAY) in http_session_thread — latency
    hint; failure is non-fatal. Also widen the bool nodelay to
    int so it has correct setsockopt() type.

    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    --- SBBSecho 3.37-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Rob Swindell (on Debian Linux)@1:103/705 to Git commit to main/sbbs/master on Wed May 6 19:41:53 2026
    https://gitlab.synchro.net/main/sbbs/-/commit/62b41cd33f2fa4292d83710d
    Modified Files:
    src/sbbs3/websrvr.cpp
    Log Message:
    websrvr: handle getuserdat failures in http_logon and check_ars (CIDs 516407, 516410, 639949)

    Both call sites set user.number then read the rest of the user record
    via getuserdat(). On read failure the user struct was left partially
    populated, then used for password comparison or downstream session
    state. Treat the failure as a system error: log it and either fall
    back to an unauthenticated session (http_logon) or reject the auth
    attempt (check_ars).

    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    --- SBBSecho 3.37-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Rob Swindell (on Debian Linux)@1:103/705 to Git commit to main/sbbs/master on Wed May 6 19:41:53 2026
    https://gitlab.synchro.net/main/sbbs/-/commit/65d46495860f18fb2c9a5882
    Modified Files:
    src/sbbs3/websrvr.cpp
    Log Message:
    websrvr: suppress send_error ORDER_REVERSAL false-positive (CID 631137)

    Coverity reports an ORDER_REVERSAL between link_list.mutex and
    jsrt_mutex when http_session_thread calls send_error() in the
    client-limit branches. The link_list helpers in this thread
    (loginAttempts, client_on, listCountMatches) acquire+release their
    list mutex internally — nothing holds a list mutex when send_error
    runs js_setup() which acquires jsrt_mutex. Annotate both 503/429
    send_error sites with a SUPPRESS plus rationale.

    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    --- SBBSecho 3.37-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Rob Swindell (on Debian Linux)@1:103/705 to Git commit to main/sbbs/master on Wed May 6 22:36:57 2026
    https://gitlab.synchro.net/main/sbbs/-/commit/6ad832522da440e614b8fcdf
    Modified Files:
    src/sbbs3/websrvr.cpp
    Log Message:
    websrvr: clamp tls_sent and explicit cast in sess_sendbuf return (CID 639935)

    The TLS path assigns 'result = tls_sent' where tls_sent is int and
    could theoretically be negative on cryptlib edge cases. Adding it
    to size_t 'sent' would underflow. Guard with 'if (result > 0)'.

    Also make the size_t-to-int returns explicit casts so Coverity sees
    the narrowing is intentional.

    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    --- SBBSecho 3.37-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Rob Swindell (on Debian Linux)@1:103/705 to Git commit to main/sbbs/master on Wed May 6 22:51:40 2026
    https://gitlab.synchro.net/main/sbbs/-/commit/c7df44f17c494f7277ac112e
    Modified Files:
    src/sbbs3/websrvr.cpp
    Log Message:
    websrvr: skip getuserdat for anonymous sessions in http_logon

    Regression from 9e7649fe0: when http_logon is called with usr=NULL
    on an anonymous request (session->user.number == 0), getuserdat
    legitimately fails because user 0 doesn't exist, which now spams
    the log with '!ERROR reading user #0 data' on every anon hit.

    Only call getuserdat when there's an actual user number to read.

    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    --- SBBSecho 3.37-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Rob Swindell (on Windows 11)@1:103/705 to Git commit to main/sbbs/master on Wed May 6 23:04:20 2026
    https://gitlab.synchro.net/main/sbbs/-/commit/c94f75aa58112c228a8cdce9
    Modified Files:
    src/sbbs3/websrvr.cpp
    Log Message:
    websrvr: include protocol, IP, request, and ARS in no-auth log

    The "!No authentication information" debug log line now reports the
    protocol, client address, request line, and the ARS string that triggered
    the auth requirement, so it's actionable when WEB_OPT_DEBUG_RX is on.

    Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
    --- SBBSecho 3.37-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Rob Swindell (on Debian Linux)@1:103/705 to Git commit to main/sbbs/master on Sat May 9 14:04:17 2026
    https://gitlab.synchro.net/main/sbbs/-/commit/f7b10a614935817ba8965ec1
    Modified Files:
    src/sbbs3/websrvr.cpp
    Log Message:
    websrvr: don't call destroy_session() with sentinel tls_sess value (-1)

    When TLS setup fails after add_private_key() returns an error, the code
    calls cryptDestroySession() directly and sets tls_sess = -1, then calls close_session_no_rb() which would pass -1 to destroy_session(), triggering
    a spurious "Destroying a session (-1) that's not in sess_list" error.

    Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
    --- SBBSecho 3.37-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)