diff options
| author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2019-03-31 17:33:11 +0200 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2019-04-09 12:00:14 -0400 |
| commit | 0fa95308fe5fcce8842530fcae5a49188856e6ac (patch) | |
| tree | c90023be639e3c7299e3fbec9b364ad0d1a2144e | |
| parent | 74b2bc43fbe61e3a04fe3f5cc9f817be307e13e1 (diff) | |
| download | tor-0fa95308fe5fcce8842530fcae5a49188856e6ac.tar.gz tor-0fa95308fe5fcce8842530fcae5a49188856e6ac.zip | |
Check return value of buf_move_to_buf for error.
If the concatenation of connection buffer and the buffer of linked
connection exceeds INT_MAX bytes, then buf_move_to_buf returns -1 as an
error value.
This value is currently casted to size_t (variable n_read) and will
erroneously lead to an increasement of variable "max_to_read".
This in turn can be used to call connection_buf_read_from_socket to
store more data inside the buffer than expected and clogging the
connection buffer.
If the linked connection buffer was able to overflow INT_MAX, the call
of buf_move_to_buf would have previously internally triggered an integer
overflow, corrupting the state of the connection buffer.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
| -rw-r--r-- | src/or/connection.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/or/connection.c b/src/or/connection.c index 791fd95c27..4f636eeb8c 100644 --- a/src/or/connection.c +++ b/src/or/connection.c @@ -3581,6 +3581,10 @@ connection_read_to_buf(connection_t *conn, ssize_t *max_to_read, if (conn->linked_conn) { result = move_buf_to_buf(conn->inbuf, conn->linked_conn->outbuf, &conn->linked_conn->outbuf_flushlen); + if (BUG(result<0)) { + log_warn(LD_BUG, "reading from linked connection buffer failed."); + return -1; + } } else { result = 0; } |