commit ee5471f9aab55269c8c480f1f90dfeb08803ac15 Author: Nick Mathewson <nickm@torproject.org> Date: Mon Feb 13 15:51:55 2017 -0500 Try to check for (and prevent) buffer size INT_MAX overflow better. Possible fix or diagnostic for 21369. --- changes/bug21369_check | 3 +++ src/or/buffers.c | 21 +++++++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/changes/bug21369_check b/changes/bug21369_check new file mode 100644 index 0000000..2cd808c --- /dev/null +++ b/changes/bug21369_check @@ -0,0 +1,3 @@ + o Minor features (reliability, crash): + - Try better to detect problems in buffers where they might grow (or + think they have grown) over 2 GB in size. Diagnostic for bug 21369. diff --git a/src/or/buffers.c b/src/or/buffers.c index 8981fd2..fc9e7e4 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -562,6 +562,11 @@ read_to_buf(tor_socket_t s, size_t at_most, buf_t *buf, int *reached_eof, tor_assert(reached_eof); tor_assert(SOCKET_OK(s)); + if (BUG(buf->datalen >= INT_MAX)) + return -1; + if (BUG(buf->datalen >= INT_MAX - at_most)) + return -1; + while (at_most > total_read) { size_t readlen = at_most - total_read; chunk_t *chunk; @@ -619,6 +624,11 @@ read_to_buf_tls(tor_tls_t *tls, size_t at_most, buf_t *buf) check(); + if (BUG(buf->datalen >= INT_MAX)) + return -1; + if (BUG(buf->datalen >= INT_MAX - at_most)) + return -1; + while (at_most > total_read) { size_t readlen = at_most - total_read; chunk_t *chunk; @@ -813,6 +823,11 @@ write_to_buf(const char *string, size_t string_len, buf_t *buf) return (int)buf->datalen; check(); + if (BUG(buf->datalen >= INT_MAX)) + return -1; + if (BUG(buf->datalen >= INT_MAX - string_len)) + return -1; + while (string_len) { size_t copy; if (!buf->tail || !CHUNK_REMAINING_CAPACITY(buf->tail)) @@ -962,6 +977,12 @@ move_buf_to_buf(buf_t *buf_out, buf_t *buf_in, size_t *buf_flushlen) /* We can do way better here, but this doesn't turn up in any profiles. */ char b[4096]; size_t cp, len; + + if (BUG(buf_out->datalen >= INT_MAX)) + return -1; + if (BUG(buf_out->datalen >= INT_MAX - *buf_flushlen)) + return -1; + len = *buf_flushlen; if (len > buf_in->datalen) len = buf_in->datalen;