[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [tor/maint-0.4.0] Check return value of buf_move_to_buf for error.



commit a628e36024c4db6e5b178abe3a0b2784c0ab00ec
Author: Tobias Stoeckmann <tobias@xxxxxxxxxxxxxx>
Date:   Sun Mar 31 17:33:11 2019 +0200

    Check return value of buf_move_to_buf for error.
    
    If the concatenation of connection buffer and the buffer of linked
    connection exceeds INT_MAX bytes, then buf_move_to_buf returns -1 as an
    error value.
    
    This value is currently casted to size_t (variable n_read) and will
    erroneously lead to an increasement of variable "max_to_read".
    
    This in turn can be used to call connection_buf_read_from_socket to
    store more data inside the buffer than expected and clogging the
    connection buffer.
    
    If the linked connection buffer was able to overflow INT_MAX, the call
    of buf_move_to_buf would have previously internally triggered an integer
    overflow, corrupting the state of the connection buffer.
    
    Signed-off-by: Tobias Stoeckmann <tobias@xxxxxxxxxxxxxx>
---
 src/or/connection.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/or/connection.c b/src/or/connection.c
index 0a2a63509..f18ef7453 100644
--- a/src/or/connection.c
+++ b/src/or/connection.c
@@ -3561,6 +3561,10 @@ connection_buf_read_from_socket(connection_t *conn, ssize_t *max_to_read,
     if (conn->linked_conn) {
       result = buf_move_to_buf(conn->inbuf, conn->linked_conn->outbuf,
                                &conn->linked_conn->outbuf_flushlen);
+      if (BUG(result<0)) {
+        log_warn(LD_BUG, "reading from linked connection buffer failed.");
+        return -1;
+      }
     } else {
       result = 0;
     }



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits