[tor-commits] [tor/master] Make write_escaped_data more robust to large inputs.

nickm at torproject.org nickm at torproject.org
Thu Aug 24 13:29:15 UTC 2017 

commit 6f7d548bc428a5aa923c04cdcdab59af88a3495b
Author: Nick Mathewson <nickm at torproject.org>
Date:   Wed Aug 9 08:58:38 2017 -0400

    Make write_escaped_data more robust to large inputs.
    
    The old implementation would fail with super-long inputs. We never
    gave it any, but still, it's nicer to dtrt here.
    
    Reported by Guido Vranken. Fixes bug 19281.
---
 changes/bug19281 |  5 +++++
 src/or/control.c | 20 ++++++++++++++------
 2 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/changes/bug19281 b/changes/bug19281
new file mode 100644
index 000000000..1586ba34f
--- /dev/null
+++ b/changes/bug19281
@@ -0,0 +1,5 @@
+  o Minor bugfixes (correctness, controller):
+    - Make the controller's write_escaped_data() function robust to extremely
+      long inputs. Right now, it doesn't actually receive any extremely
+      long inputs, so this is for defense in depth. Fixes bug 19281;
+      bugfix on 0.1.1.1-alpha. Reported by Guido Vranken.
diff --git a/src/or/control.c b/src/or/control.c
index 2ff1cc844..4df670cd2 100644
--- a/src/or/control.c
+++ b/src/or/control.c
@@ -313,16 +313,23 @@ connection_write_str_to_buf(const char *s, control_connection_t *conn)
 STATIC size_t
 write_escaped_data(const char *data, size_t len, char **out)
 {
-  size_t sz_out = len+8;
+  tor_assert(len < SIZE_MAX - 9);
+  size_t sz_out = len+8+1;
   char *outp;
   const char *start = data, *end;
-  int i;
+  size_t i;
   int start_of_line;
-  for (i=0; i<(int)len; ++i) {
-    if (data[i]== '\n')
+  for (i=0; i < len; ++i) {
+    if (data[i] == '\n') {
       sz_out += 2; /* Maybe add a CR; maybe add a dot. */
+      if (sz_out >= SIZE_T_CEILING) {
+        log_warn(LD_BUG, "Input to write_escaped_data was too long");
+        *out = tor_strdup(".\r\n");
+        return 3;
+      }
+    }
   }
-  *out = outp = tor_malloc(sz_out+1);
+  *out = outp = tor_malloc(sz_out);
   end = data+len;
   start_of_line = 1;
   while (data < end) {
@@ -348,7 +355,8 @@ write_escaped_data(const char *data, size_t len, char **out)
   *outp++ = '\r';
   *outp++ = '\n';
   *outp = '\0'; /* NUL-terminate just in case. */
-  tor_assert((outp - *out) <= (int)sz_out);
+  tor_assert(outp >= *out);
+  tor_assert((size_t)(outp - *out) <= sz_out);
   return outp - *out;
 }

More information about the tor-commits mailing list