[tor/release-0.3.0] Try to check for (and prevent) buffer size INT_MAX overflow better. - tor-commits

27 Feb 2017

commit ee5471f9aab55269c8c480f1f90dfeb08803ac15
Author: Nick Mathewson nickm@torproject.org
Date:   Mon Feb 13 15:51:55 2017 -0500
Try to check for (and prevent) buffer size INT_MAX overflow better.
Possible fix or diagnostic for 21369.
---
 changes/bug21369_check |  3 +++
 src/or/buffers.c       | 21 +++++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/changes/bug21369_check b/changes/bug21369_check
new file mode 100644
index 0000000..2cd808c
--- /dev/null
+++ b/changes/bug21369_check
@@ -0,0 +1,3 @@
+  o Minor features (reliability, crash):
+    - Try better to detect problems in buffers where they might grow (or
+      think they have grown) over 2 GB in size. Diagnostic for bug 21369.
diff --git a/src/or/buffers.c b/src/or/buffers.c
index 8981fd2..fc9e7e4 100644
--- a/src/or/buffers.c
+++ b/src/or/buffers.c
@@ -562,6 +562,11 @@ read_to_buf(tor_socket_t s, size_t at_most, buf_t *buf, int *reached_eof,
   tor_assert(reached_eof);
   tor_assert(SOCKET_OK(s));
+  if (BUG(buf->datalen >= INT_MAX))
+    return -1;
+  if (BUG(buf->datalen >= INT_MAX - at_most))
+    return -1;
+
   while (at_most > total_read) {
     size_t readlen = at_most - total_read;
     chunk_t *chunk;
@@ -619,6 +624,11 @@ read_to_buf_tls(tor_tls_t *tls, size_t at_most, buf_t *buf)
check();
+  if (BUG(buf->datalen >= INT_MAX))
+    return -1;
+  if (BUG(buf->datalen >= INT_MAX - at_most))
+    return -1;
+
   while (at_most > total_read) {
     size_t readlen = at_most - total_read;
     chunk_t *chunk;
@@ -813,6 +823,11 @@ write_to_buf(const char *string, size_t string_len, buf_t *buf)
     return (int)buf->datalen;
   check();
+  if (BUG(buf->datalen >= INT_MAX))
+    return -1;
+  if (BUG(buf->datalen >= INT_MAX - string_len))
+    return -1;
+
   while (string_len) {
     size_t copy;
     if (!buf->tail || !CHUNK_REMAINING_CAPACITY(buf->tail))
@@ -962,6 +977,12 @@ move_buf_to_buf(buf_t *buf_out, buf_t *buf_in, size_t *buf_flushlen)
   /* We can do way better here, but this doesn't turn up in any profiles. */
   char b[4096];
   size_t cp, len;
+
+  if (BUG(buf_out->datalen >= INT_MAX))
+    return -1;
+  if (BUG(buf_out->datalen >= INT_MAX - *buf_flushlen))
+    return -1;
+
   len = *buf_flushlen;
   if (len > buf_in->datalen)
     len = buf_in->datalen;

    