[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [tor/release-0.3.0] Try to check for (and prevent) buffer size INT_MAX overflow better.
commit ee5471f9aab55269c8c480f1f90dfeb08803ac15
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date: Mon Feb 13 15:51:55 2017 -0500
Try to check for (and prevent) buffer size INT_MAX overflow better.
Possible fix or diagnostic for 21369.
---
changes/bug21369_check | 3 +++
src/or/buffers.c | 21 +++++++++++++++++++++
2 files changed, 24 insertions(+)
diff --git a/changes/bug21369_check b/changes/bug21369_check
new file mode 100644
index 0000000..2cd808c
--- /dev/null
+++ b/changes/bug21369_check
@@ -0,0 +1,3 @@
+ o Minor features (reliability, crash):
+ - Try better to detect problems in buffers where they might grow (or
+ think they have grown) over 2 GB in size. Diagnostic for bug 21369.
diff --git a/src/or/buffers.c b/src/or/buffers.c
index 8981fd2..fc9e7e4 100644
--- a/src/or/buffers.c
+++ b/src/or/buffers.c
@@ -562,6 +562,11 @@ read_to_buf(tor_socket_t s, size_t at_most, buf_t *buf, int *reached_eof,
tor_assert(reached_eof);
tor_assert(SOCKET_OK(s));
+ if (BUG(buf->datalen >= INT_MAX))
+ return -1;
+ if (BUG(buf->datalen >= INT_MAX - at_most))
+ return -1;
+
while (at_most > total_read) {
size_t readlen = at_most - total_read;
chunk_t *chunk;
@@ -619,6 +624,11 @@ read_to_buf_tls(tor_tls_t *tls, size_t at_most, buf_t *buf)
check();
+ if (BUG(buf->datalen >= INT_MAX))
+ return -1;
+ if (BUG(buf->datalen >= INT_MAX - at_most))
+ return -1;
+
while (at_most > total_read) {
size_t readlen = at_most - total_read;
chunk_t *chunk;
@@ -813,6 +823,11 @@ write_to_buf(const char *string, size_t string_len, buf_t *buf)
return (int)buf->datalen;
check();
+ if (BUG(buf->datalen >= INT_MAX))
+ return -1;
+ if (BUG(buf->datalen >= INT_MAX - string_len))
+ return -1;
+
while (string_len) {
size_t copy;
if (!buf->tail || !CHUNK_REMAINING_CAPACITY(buf->tail))
@@ -962,6 +977,12 @@ move_buf_to_buf(buf_t *buf_out, buf_t *buf_in, size_t *buf_flushlen)
/* We can do way better here, but this doesn't turn up in any profiles. */
char b[4096];
size_t cp, len;
+
+ if (BUG(buf_out->datalen >= INT_MAX))
+ return -1;
+ if (BUG(buf_out->datalen >= INT_MAX - *buf_flushlen))
+ return -1;
+
len = *buf_flushlen;
if (len > buf_in->datalen)
len = buf_in->datalen;
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits