[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [tor/master] core/mainloop: Limit growth of conn->inbuf
commit fd3e0c154236c59c2972b549500675980bb02507
Author: cypherpunks <cypherpunks@xxxxxxxxxxxxxx>
Date: Tue Mar 3 07:01:05 2020 +0000
core/mainloop: Limit growth of conn->inbuf
If the buf_t's length could potentially become greater than INT_MAX - 1,
it sets off an IF_BUG_ONCE in buf_read_from_tls().
All of the rest of the buffers.c code has similar BUG/asserts for this
invariant.
---
changes/bug33131 | 3 +++
src/core/mainloop/connection.c | 9 +++++++++
2 files changed, 12 insertions(+)
diff --git a/changes/bug33131 b/changes/bug33131
new file mode 100644
index 000000000..bc5ef7bc2
--- /dev/null
+++ b/changes/bug33131
@@ -0,0 +1,3 @@
+ o Minor bugfixes (mainloop):
+ - Better guard against growing a buffer past its maximum 2GB in size.
+ Fixes bug 33131; bugfix on 0.3.0.4-rc.
diff --git a/src/core/mainloop/connection.c b/src/core/mainloop/connection.c
index 3595bba85..3c8527dd5 100644
--- a/src/core/mainloop/connection.c
+++ b/src/core/mainloop/connection.c
@@ -3684,6 +3684,15 @@ connection_buf_read_from_socket(connection_t *conn, ssize_t *max_to_read,
at_most = connection_bucket_read_limit(conn, approx_time());
}
+ /* Do not allow inbuf to grow past INT_MAX - 1. */
+ const ssize_t maximum = INT_MAX - 1 - buf_datalen(conn->inbuf);
+ if (at_most > maximum) {
+ log_debug(LD_NET, "%d: inbuf_datalen=%"TOR_PRIuSZ", adding %"
+ TOR_PRIdSZ" might overflow.",
+ (int)conn->s, buf_datalen(conn->inbuf), at_most);
+ at_most = maximum;
+ }
+
slack_in_buf = buf_slack(conn->inbuf);
again:
if ((size_t)at_most > slack_in_buf && slack_in_buf >= 1024) {
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits