diff options
| author | cypherpunks <cypherpunks@torproject.org> | 2020-03-03 07:01:05 +0000 |
|---|---|---|
| committer | cypherpunks <cypherpunks@torproject.org> | 2020-03-24 05:19:24 +0000 |
| commit | fd3e0c154236c59c2972b549500675980bb02507 (patch) | |
| tree | d2b0fede6c65721d2976a612fa61ee613790dd68 | |
| parent | b9c7c61ea5233854ff83257a8bc530b7e0a50351 (diff) | |
| download | tor-fd3e0c154236c59c2972b549500675980bb02507.tar.gz tor-fd3e0c154236c59c2972b549500675980bb02507.zip | |
core/mainloop: Limit growth of conn->inbuf
If the buf_t's length could potentially become greater than INT_MAX - 1,
it sets off an IF_BUG_ONCE in buf_read_from_tls().
All of the rest of the buffers.c code has similar BUG/asserts for this
invariant.
| -rw-r--r-- | changes/bug33131 | 3 | ||||
| -rw-r--r-- | src/core/mainloop/connection.c | 9 |
2 files changed, 12 insertions, 0 deletions
diff --git a/changes/bug33131 b/changes/bug33131 new file mode 100644 index 0000000000..bc5ef7bc2d --- /dev/null +++ b/changes/bug33131 @@ -0,0 +1,3 @@ + o Minor bugfixes (mainloop): + - Better guard against growing a buffer past its maximum 2GB in size. + Fixes bug 33131; bugfix on 0.3.0.4-rc. diff --git a/src/core/mainloop/connection.c b/src/core/mainloop/connection.c index 3595bba85c..3c8527dd53 100644 --- a/src/core/mainloop/connection.c +++ b/src/core/mainloop/connection.c @@ -3684,6 +3684,15 @@ connection_buf_read_from_socket(connection_t *conn, ssize_t *max_to_read, at_most = connection_bucket_read_limit(conn, approx_time()); } + /* Do not allow inbuf to grow past INT_MAX - 1. */ + const ssize_t maximum = INT_MAX - 1 - buf_datalen(conn->inbuf); + if (at_most > maximum) { + log_debug(LD_NET, "%d: inbuf_datalen=%"TOR_PRIuSZ", adding %" + TOR_PRIdSZ" might overflow.", + (int)conn->s, buf_datalen(conn->inbuf), at_most); + at_most = maximum; + } + slack_in_buf = buf_slack(conn->inbuf); again: if ((size_t)at_most > slack_in_buf && slack_in_buf >= 1024) { |