- Enhance room_broadcast() reference counting:
* Check client state (connected, show_help, command_output) before rendering
* Perform state check while holding client ref_lock
* Prevents rendering to disconnected/invalid clients
* Ensures safe cleanup when ref count reaches zero
- Fix tui_render_screen() message array TOCTOU:
* Acquire all data (online count, message count, messages) in single lock
* Create snapshot of messages to display
* Calculate message range while holding lock
* Render from snapshot without holding lock
* Prevents inconsistencies from concurrent message additions
* Eliminates race between two separate lock acquisitions
- Fix handle_key() scroll position TOCTOU:
* Get message count atomically when calculating scroll bounds
* Calculate max_scroll properly accounting for message height
* Apply consistent bounds checking for 'j' (down) and 'G' (bottom)
* Prevents out-of-bounds access from concurrent message changes
These changes address:
- Race condition in broadcast rendering to disconnecting clients
- TOCTOU between message count read and message access
- Scroll position bounds check race conditions
Prevents:
- Use-after-free in client cleanup
- Array out-of-bounds access
- Inconsistent UI rendering
- Crashes from concurrent message list modifications
Improves thread safety without introducing deadlocks by:
- Using snapshot approach to avoid long lock holds
- Acquiring data in consistent lock order
- Minimizing critical sections
- Add IP-based rate limiting system:
* Track up to 256 IPs with connection counts and auth failures
* Rate limit: max 10 connections per IP per 60-second window
* Block for 5 minutes after 5 auth failures
* Auto-unblock when duration expires
- Add global connection limit (default: 64, configurable)
- Add per-IP connection limit (default: 5, configurable)
- Implement optional access token authentication:
* If TNT_ACCESS_TOKEN set, require password matching token
* If not set, maintain open access (backward compatible)
* Rate limit auth attempts (max 3 per session)
* Add 2-second delay after failed auth to slow brute force
- Add client IP tracking and logging
- Implement connection count management with proper cleanup
Environment variables:
- TNT_ACCESS_TOKEN: Access token for password authentication (optional)
- TNT_MAX_CONNECTIONS: Maximum concurrent connections (default: 64)
- TNT_MAX_CONN_PER_IP: Maximum connections per IP (default: 5)
- TNT_RATE_LIMIT: Enable/disable rate limiting (default: 1)
These changes address:
- Weak authentication allowing unrestricted access
- No protection against brute force attacks
- No rate limiting or connection throttling
- No IP-based access controls
Prevents:
- Brute force password attacks
- Connection flooding DoS
- Resource exhaustion
- Unauthorized access when token is configured
Design maintains backward compatibility: without TNT_ACCESS_TOKEN,
server remains fully open as before. With token, it's protected.
- README: BSD man page format (NAME/SYNOPSIS/OPTIONS/etc)
- README.md: Minimal markdown (82 lines vs 200+)
Philosophy: Dense information, no fluff, reference style.
Inspired by original Unix manuals and BSD docs.
Changes:
- Removed emojis and badges
- Condensed verbose sections
- Clear command examples
- Direct references to detailed docs
Previous implementation:
- Allocated MAX_MESSAGES * 10 (1000 messages) temporarily
- Wasted ~100KB per server startup
- Could fail if log file grows very large
New implementation:
- Track file positions of last 1000 lines
- Seek to appropriate position before reading
- Only allocate MAX_MESSAGES (100 messages)
- Memory usage reduced by 90%
Benefits:
- Faster startup with large log files
- Lower memory footprint
- No risk of allocation failure
- Same functionality maintained
Uses fseek/ftell for efficient log file handling.
Fixes three critical bugs that caused crashes after long-running:
1. Use-after-free race condition in room_broadcast()
- Added reference counting to client_t structure
- Increment ref_count before using client outside lock
- Decrement and free only when ref_count reaches 0
- Prevents accessing freed client memory during broadcast
2. strtok() data corruption in tui_render_command_output()
- strtok() modifies original string by replacing delimiters
- Now use a local copy before calling strtok()
- Prevents corruption of client->command_output
3. Improved handle_key() consistency
- Return bool to indicate if key was consumed
- Fixes issue where mode-switch keys were processed twice
Thread safety changes:
- Added client->ref_count and client->ref_lock
- Added client_release() for safe cleanup
- room_broadcast() now properly increments/decrements refs
This fixes the primary cause of crashes during extended operation.
When pressing ':' in NORMAL mode, the key was being processed twice:
1. handle_key() detected it and switched to COMMAND mode
2. The same ':' character was then added to command_input
This resulted in '::' appearing instead of ':'.
Solution:
- Changed handle_key() to return bool indicating if key was consumed
- Only add character to input if handle_key() returns false
- All mode-switching keys now return true to prevent reprocessing
Fixes the most annoying UX bug reported by users.
- Allow SSH_AUTH_METHOD_NONE for passwordless authentication
- Replace all \n with \r\n in TUI rendering for proper line breaks
- Fixes messages appearing misaligned on terminal
- Implement SSH server using libssh for secure connections
- Replace insecure telnet with encrypted SSH protocol
- Add automatic terminal size detection via PTY requests
- Support dynamic window resize (SIGWINCH handling)
- Fix UI display bug by using SSH channel instead of fd
- Update tui_clear_screen to work with SSH connections
- Add RSA host key auto-generation on first run
- Update README with SSH instructions and security notes
- Add libssh dependency to Makefile with auto-detection
- Remove all telnet-related code
Security improvements:
- All traffic now encrypted
- Host key authentication
- No more plaintext transmission
