From 767516680c03dfcd145033eff66fa3b0ca7d4b5b Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Sun, 22 Jan 2017 11:32:54 -0500
Subject: [PATCH] TROVE-2017-001 : move -ftrapv back into
 --expensive-hardening.

---
 changes/trove-2017-001 |  8 ++++++++
 configure.ac           | 15 ++++++++++-----
 2 files changed, 18 insertions(+), 5 deletions(-)
 create mode 100644 changes/trove-2017-001

diff --git a/changes/trove-2017-001 b/changes/trove-2017-001
new file mode 100644
index 000000000..5187e6d5f
--- /dev/null
+++ b/changes/trove-2017-001
@@ -0,0 +1,8 @@
+  o Major bugfixes (security):
+    - Downgrade the "-ftrapv" option from "always on" to "only on when
+      --enable-expensive-hardening is provided."  This hardening option, like
+      others, can turn survivable bugs into crashes--and having it on by
+      default made a (relatively harmless) integer overflow bug into a
+      denial-of-service bug. Fixes bug 21278 (TROVE-2017-001); bugfix on
+      0.2.9.1-alpha.
+
diff --git a/configure.ac b/configure.ac
index 1e226a471..150637366 100644
--- a/configure.ac
+++ b/configure.ac
@@ -761,14 +761,15 @@ m4_ifdef([AS_VAR_IF],[
        TOR_CHECK_CFLAGS(-fPIE)
        TOR_CHECK_LDFLAGS(-pie, "$all_ldflags_for_check", "$all_libs_for_check")
     fi
-    TOR_TRY_COMPILE_WITH_CFLAGS(-ftrapv, also_link, CFLAGS_FTRAPV="-ftrapv", true)
     TOR_TRY_COMPILE_WITH_CFLAGS(-fwrapv, also_link, CFLAGS_FWRAPV="-fwrapv", true)
-    if test "$tor_cv_cflags__ftrapv" = "yes" && test "$tor_can_link__ftrapv" != "yes"; then
-      AC_MSG_WARN([The compiler supports -ftrapv, but for some reason I was not able to link with -ftrapv. Are you missing run-time support? Run-time hardening will not work as well as it should.])
-    fi
 fi
 
 if test "x$enable_expensive_hardening" = "xyes"; then
+    TOR_TRY_COMPILE_WITH_CFLAGS(-ftrapv, also_link, CFLAGS_FTRAPV="-ftrapv", true)
+   if test "$tor_cv_cflags__ftrapv" = "yes" && test "$tor_can_link__ftrapv" != "yes"; then
+      AC_MSG_WARN([The compiler supports -ftrapv, but for some reason I was not able to link with -ftrapv. Are you missing run-time support? Run-time hardening will not work as well as it should.])
+   fi
+
    if test "$tor_cv_cflags__ftrapv" != "yes"; then
      AC_MSG_ERROR([You requested expensive hardening, but the compiler does not seem to support -ftrapv.])
    fi
@@ -1819,7 +1820,7 @@ if test "x$enable_gcc_warnings_advisory" != "xno"; then
      -Wstatic-float-init
      -Wstatic-in-inline
      -Wstatic-local-in-inline
-     -Wstrict-overflow=2
+     -Wstrict-overflow=1
      -Wstring-compare
      -Wstring-conversion
      -Wstrlcpy-strlcat-size
@@ -1864,6 +1865,10 @@ if test "x$enable_gcc_warnings_advisory" != "xno"; then
      -Wzero-length-array
   ], [ TOR_CHECK_CFLAGS([warning_flag]) ])
 
+dnl    We should re-enable this in some later version.  Clang doesn't
+dnl    mind, but it causes trouble with GCC.
+dnl     -Wstrict-overflow=2
+
 dnl    These seem to require annotations that we don't currently use,
 dnl    and they give false positives in our pthreads wrappers. (Clang 4)
 dnl     -Wthread-safety