[tor-bugs] #32673 [Core Tor/Tor]: 'buf_read_from_tls()' can return the wrong error code

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Dec 5 02:17:00 UTC 2019 

#32673: 'buf_read_from_tls()' can return the wrong error code
--------------------+------------------------------
 Reporter:  opara   |          Owner:  (none)
     Type:  defect  |         Status:  new
 Priority:  Medium  |      Component:  Core Tor/Tor
  Version:          |       Severity:  Normal
 Keywords:          |  Actual Points:
Parent ID:          |         Points:
 Reviewer:          |        Sponsor:
--------------------+------------------------------
 The
 [https://gitweb.torproject.org/tor.git/tree/src/lib/tls/buffers_tls.c?id=64d6914232c5ecba2954e9c7a5f6a6b9b8b5fec6#n63
 function] {{{buf_read_from_tls(...)}}} returns an integer. This integer
 can either be {{{<=0}}} (in which case it corresponds to a {{{TOR_TLS_}}}
 status) or a positive number (in which case it corresponds to the number
 of bytes read). This return value is
 [https://gitweb.torproject.org/tor.git/tree/src/core/mainloop/connection.c?id=64d6914232c5ecba2954e9c7a5f6a6b9b8b5fec6#n3749
 used in] {{{connection_buf_read_from_socket()}}} in a large
 {{{switch(result)}}} statement.

 At the beginning of {{{buf_read_from_tls(...)}}}, it returns {{{-1}}} on
 the lines:

 {{{
 IF_BUG_ONCE(buf->datalen >= INT_MAX)
   return -1;
 IF_BUG_ONCE(buf->datalen >= INT_MAX - at_most)
   return -1;
 }}}


 This value of {{{-1}}} is the
 [https://gitweb.torproject.org/tor.git/tree/src/lib/tls/tortls.h?id=64d6914232c5ecba2954e9c7a5f6a6b9b8b5fec6#n48
 same as] {{{TOR_TLS_WANTWRITE}}}. This causes the switch statement in
 {{{connection_buf_read_from_socket()}}} to interpret the return value as
 {{{TOR_TLS_WANTWRITE}}}, which is not correct for the {{{buf->datalen >=
 INT_MAX}}} bug. I suggest returning {{{TOR_TLS_ERROR_MISC}}} instead of
 {{{-1}}}. Note that this would close the connection.

 I don't think you'll see incorrect behavior due to this, but it might be a
 good idea to fix.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32673>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list