diff options
author | Nick Mathewson <nickm@torproject.org> | 2019-02-21 10:08:14 -0500 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2019-02-21 10:08:14 -0500 |
commit | 50626479183858d25d4e52b80b000dbb43097917 (patch) | |
tree | bbf76f604413014d4c28551bdfdf64a647044aab | |
parent | 508002a4c259cdfeca38ec15a726aa8a991a58da (diff) | |
parent | be84ed1a64ed7ce810bd3924fa96c2588b491ef5 (diff) | |
download | tor-50626479183858d25d4e52b80b000dbb43097917.tar.gz tor-50626479183858d25d4e52b80b000dbb43097917.zip |
Merge branch 'maint-0.3.3' into maint-0.3.4
-rw-r--r-- | changes/ticket29168 | 5 | ||||
-rw-r--r-- | src/or/scheduler_kist.c | 2 |
2 files changed, 6 insertions, 1 deletions
diff --git a/changes/ticket29168 b/changes/ticket29168 new file mode 100644 index 0000000000..65c5232f65 --- /dev/null +++ b/changes/ticket29168 @@ -0,0 +1,5 @@ + o Major bugfixes (cell scheduler, KIST): + - Make KIST to always take into account the outbuf length when computing + what we can actually put in the outbuf. This could lead to the outbuf + being filled up and thus a possible memory DoS vector. TROVE-2019-001. + Fixes bug 29168; bugfix on 0.3.2.1-alpha. diff --git a/src/or/scheduler_kist.c b/src/or/scheduler_kist.c index c6e9b72c48..af8ddccabd 100644 --- a/src/or/scheduler_kist.c +++ b/src/or/scheduler_kist.c @@ -278,7 +278,7 @@ update_socket_info_impl, (socket_table_ent_t *ent)) extra_space = clamp_double_to_int64( (ent->cwnd * (int64_t)ent->mss) * sock_buf_size_factor) - - ent->notsent; + ent->notsent - (int64_t)channel_outbuf_length((channel_t *) ent->chan); if ((tcp_space + extra_space) < 0) { /* This means that the "notsent" queue is just too big so we shouldn't put * more in the kernel for now. */ |