[tor-commits] [tor/master] Fix a signed integer overflow in dir/download_status_random_backoff

[nickm at torproject.org]

commit b7566d465f0299e97b46f40d746a1203257245d4
Author: Nick Mathewson <nickm at torproject.org>
Date:   Fri Jul 14 13:56:40 2017 -0400

    Fix a signed integer overflow in dir/download_status_random_backoff
    
    Fix for 22924. Bugfix on 0.2.9.1-alpha when the test was introducd
    -- though it couldn't actually overflow until we fixed 17750.
    
    Additionally, this only seems to overflow on 32-bit, and only when
    the compiler doesn't re-order the (possibly dead) assignment out of
    the way.  We ran into it on a 32-bit ubuntu trusty builder.
---
 changes/bug22924    | 4 ++++
 src/test/test_dir.c | 4 +++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/changes/bug22924 b/changes/bug22924
new file mode 100644
index 0000000..e59fc72
--- /dev/null
+++ b/changes/bug22924
@@ -0,0 +1,4 @@
+  o Minor bugfies (tests):
+    - Fix a signed-integer overflow in the unit tests for
+      dir/download_status_random_backoff, which was untriggered until we
+      fixed bug 17750.  Fixes bug 22924; bugfix on 0.2.9.1-alpha.
diff --git a/src/test/test_dir.c b/src/test/test_dir.c
index 53911e8..729ae64 100644
--- a/src/test/test_dir.c
+++ b/src/test/test_dir.c
@@ -3657,12 +3657,14 @@ download_status_random_backoff_helper(int min_delay, int max_delay)
     }
 
     /* Advance */
-    current_time += increment;
     ++(dls_random.n_download_attempts);
     ++(dls_random.n_download_failures);
 
     /* Try another maybe */
     old_increment = increment;
+    if (increment >= max_delay)
+      current_time += increment;
+
   } while (increment < max_delay);
 
  done: