[tor-commits] [tor/master] Fix a nigh-impossible overflow in cpuworker.c
nickm at torproject.org
nickm at torproject.org
Mon Feb 11 21:51:40 UTC 2013
commit 719940df2bdfbd0f5ee02a9ca404f345d2fc49e8
Author: Nick Mathewson <nickm at torproject.org>
Date: Mon Feb 11 16:40:48 2013 -0500
Fix a nigh-impossible overflow in cpuworker.c
When we compute the estimated microseconds we need to handle our
pending onionskins, we could (in principle) overflow a uint32_t if
we ever had 4 million pending onionskins before we had any data
about how onionskins take. Nevertheless, let's compute it properly.
Fixes bug 8210; bugfix on 0.2.4.10. Found by coverity; this is CID
980651.
---
changes/bug8210 | 6 ++++++
src/or/cpuworker.c | 4 ++--
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/changes/bug8210 b/changes/bug8210
new file mode 100644
index 0000000..85d41b8
--- /dev/null
+++ b/changes/bug8210
@@ -0,0 +1,6 @@
+ o Minor bugfixes:
+ - Fix an impossible-to-trigger integer overflow when
+ estimating how long out onionskin queue would take. (This overflow
+ would require us to accept 4 million onionskins before processing
+ 100 of them.) Fixes bug 8210; bugfix on 0.2.4.10-alpha.
+
diff --git a/src/or/cpuworker.c b/src/or/cpuworker.c
index 6b52f3b..444f17c 100644
--- a/src/or/cpuworker.c
+++ b/src/or/cpuworker.c
@@ -222,10 +222,10 @@ uint64_t
estimated_usec_for_onionskins(uint32_t n_requests, uint16_t onionskin_type)
{
if (onionskin_type > MAX_ONION_HANDSHAKE_TYPE) /* should be impossible */
- return 1000 * n_requests;
+ return 1000 * (uint64_t)n_requests;
if (PREDICT_UNLIKELY(onionskins_n_processed[onionskin_type] < 100)) {
/* Until we have 100 data points, just asssume everything takes 1 msec. */
- return 1000 * n_requests;
+ return 1000 * (uint64_t)n_requests;
} else {
/* This can't overflow: we'll never have more than 500000 onionskins
* measured in onionskin_usec_internal, and they won't take anything near
More information about the tor-commits
mailing list