[tor-commits] [tor/master] Fix an integer overflow bug in the tv_mdiff range check

nickm at torproject.org nickm at torproject.org
Wed Jun 29 13:38:27 UTC 2016


commit 2e51608a8b7d883f5e187ccc83ed871e248442c2
Author: teor (Tim Wilson-Brown) <teor2345 at gmail.com>
Date:   Wed Jun 29 12:53:50 2016 +1000

    Fix an integer overflow bug in the tv_mdiff range check
    
    The temporary second used for rounding can cause overflow,
    depending on the order the compiler performs the operations.
---
 src/common/util.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/common/util.c b/src/common/util.c
index 4b6df81..44994fb 100644
--- a/src/common/util.c
+++ b/src/common/util.c
@@ -1394,6 +1394,7 @@ tv_udiff(const struct timeval *start, const struct timeval *end)
   long udiff;
   long secdiff = end->tv_sec - start->tv_sec;
 
+  /* end->tv_usec - start->tv_usec can be up to 1 second */
   if (labs(secdiff)+1 > LONG_MAX/1000000) {
     log_warn(LD_GENERAL, "comparing times on microsecond detail too far "
              "apart: %ld seconds", secdiff);
@@ -1412,7 +1413,9 @@ tv_mdiff(const struct timeval *start, const struct timeval *end)
   long mdiff;
   long secdiff = end->tv_sec - start->tv_sec;
 
-  if (labs(secdiff)+1 > LONG_MAX/1000) {
+  /* end->tv_usec - start->tv_usec can be up to 1 second,
+   * but the mdiff calculation adds another temporary second */
+  if (labs(secdiff)+2 > LONG_MAX/1000) {
     log_warn(LD_GENERAL, "comparing times on millisecond detail too far "
              "apart: %ld seconds", secdiff);
     return LONG_MAX;





More information about the tor-commits mailing list