diff options
| author | Nick Mathewson <nickm@torproject.org> | 2018-06-20 16:11:09 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2018-06-20 16:16:45 -0400 |
| commit | c86850c4c9e8154fdd6e0be53f455a573df17155 (patch) | |
| tree | e08248e270214fe6e8203316c16648faa30ef762 | |
| parent | 50fb8301c15eb291b23d9b82dba00d285cedbb37 (diff) | |
| download | tor-c86850c4c9e8154fdd6e0be53f455a573df17155.tar.gz tor-c86850c4c9e8154fdd6e0be53f455a573df17155.zip | |
Don't use any asserts(), even raw, in format_number_sigsafe().
Also explain why.
| -rw-r--r-- | src/common/torerr.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/src/common/torerr.c b/src/common/torerr.c index 5dbdc629ad..0e0c4db355 100644 --- a/src/common/torerr.c +++ b/src/common/torerr.c @@ -155,8 +155,9 @@ format_number_sigsafe(unsigned long x, char *buf, int buf_len, int len; char *cp; - /* NOT tor_assert. This needs to be safe to run from within a signal handler, - * and from within the 'tor_assert() has failed' code. */ + /* NOT tor_assert. This needs to be safe to run from within a signal + * handler, and from within the 'tor_assert() has failed' code. Not even + * raw_assert(), since raw_assert() calls this function on failure. */ if (radix < 2 || radix > 16) return 0; @@ -176,7 +177,10 @@ format_number_sigsafe(unsigned long x, char *buf, int buf_len, *cp = '\0'; do { unsigned digit = (unsigned) (x % radix); - raw_assert(cp > buf); + if (cp <= buf) { + /* Not tor_assert(); see above. */ + abort(); + } --cp; *cp = "0123456789ABCDEF"[digit]; x /= radix; |