[tor-commits] [tor/master] sched: Avoid integer overflow when computing tcp_space

nickm at torproject.org nickm at torproject.org
Mon Dec 11 21:03:47 UTC 2017 

commit 057139d3830bb94df8031bb6e8e385cef53352bc
Author: David Goulet <dgoulet at torproject.org>
Date:   Mon Dec 11 15:42:28 2017 -0500

    sched: Avoid integer overflow when computing tcp_space
    
    In KIST, we could have a small congestion window value than the unacked
    packets leading to a integer overflow which leaves the tcp_space value to be
    humongous.
    
    This has no security implications but it results in KIST scheduler allowing to
    send cells on a potentially saturated connection.
    
    Found by #24423. Fixes #24590.
    
    Signed-off-by: David Goulet <dgoulet at torproject.org>
---
 changes/bug24590        |  5 +++++
 src/or/scheduler_kist.c | 11 +++++++----
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/changes/bug24590 b/changes/bug24590
new file mode 100644
index 000000000..77e039f8d
--- /dev/null
+++ b/changes/bug24590
@@ -0,0 +1,5 @@
+  o Minor bugfixes (scheduler, KIST):
+    - Avoid a possible integer overflow when computing the available space on
+      the TCP buffer of a channel. This has no security implications but can
+      make KIST not behave properly by allowing more cells on a already
+      saturated connection. Fixes bug 24590; bugfix on 0.3.2.1-alpha.
diff --git a/src/or/scheduler_kist.c b/src/or/scheduler_kist.c
index 3d8f553ac..9acd89b37 100644
--- a/src/or/scheduler_kist.c
+++ b/src/or/scheduler_kist.c
@@ -264,10 +264,13 @@ update_socket_info_impl, (socket_table_ent_t *ent))
    *                                         ^ ((cwnd * mss) * factor) bytes
    */
 
-   /* Assuming all these values from the kernel are uint32_t still, they will
-   * always fit into a int64_t tcp_space variable. */
-  tcp_space = (ent->cwnd - ent->unacked) * (int64_t)ent->mss;
-  if (tcp_space < 0) {
+  /* These values from the kernel are uint32_t, they will always fit into a
+   * int64_t tcp_space variable but if the congestion window cwnd is smaller
+   * than the unacked packets, the remaining TCP space is set to 0 so we don't
+   * write more on this channel. */
+  if (ent->cwnd >= ent->unacked) {
+    tcp_space = (ent->cwnd - ent->unacked) * (int64_t)(ent->mss);
+  } else {
     tcp_space = 0;
   }

More information about the tor-commits mailing list