Add a 30-day maximum on user-supplied MaxCircuitDirtiness

Fix for bug 9543.

2 files changed, 14 insertions, 0 deletions

diff --git a/changes/bug9543 b/changes/bug9543
new file mode 100644
index 0000000000..753947f6fd
--- /dev/null
+++ b/changes/bug9543
@@ -0,0 +1,4 @@
+  o Minor bugfixes:
+    - Avoid overflows when the user sets MaxCircuitDirtiness to a
+      ridiculously high value, by imposing a (ridiculously high) 30-day
+      maximum on MaxCircuitDirtiness.
diff --git a/src/or/config.c b/src/or/config.c
index 72ceea395e..793fd557a3 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -2266,6 +2266,10 @@ compute_publishserverdescriptor(or_options_t *options)
  * will generate too many circuits and potentially overload the network. */
 #define MIN_MAX_CIRCUIT_DIRTINESS 10
 
+/** Highest allowable value for MaxCircuitDirtiness: prevents time_t
+ * overflows. */
+#define MAX_MAX_CIRCUIT_DIRTINESS (30*24*60*60)
+
 /** Lowest allowable value for CircuitStreamTimeout; if this is too low, Tor
  * will generate too many circuits and potentially overload the network. */
 #define MIN_CIRCUIT_STREAM_TIMEOUT 10
@@ -2786,6 +2790,12 @@ options_validate(or_options_t *old_options, or_options_t *options,
     options->MaxCircuitDirtiness = MIN_MAX_CIRCUIT_DIRTINESS;
   }
 
+  if (options->MaxCircuitDirtiness > MAX_MAX_CIRCUIT_DIRTINESS) {
+    log_warn(LD_CONFIG, "MaxCircuitDirtiness option is too high; "
+             "setting to %d days.", MAX_MAX_CIRCUIT_DIRTINESS/86400);
+    options->MaxCircuitDirtiness = MAX_MAX_CIRCUIT_DIRTINESS;
+  }
+
   if (options->CircuitStreamTimeout &&
       options->CircuitStreamTimeout < MIN_CIRCUIT_STREAM_TIMEOUT) {
     log_warn(LD_CONFIG, "CircuitStreamTimeout option is too short; "