summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorteor <teor@torproject.org>2019-04-10 18:27:11 +1000
committerteor <teor@torproject.org>2019-04-10 18:27:11 +1000
commita1d9f44971f2442a41a4d5fbed5aba28d872e15b (patch)
treed4f9c0979ff114fe30d76f05ff3cb9e2e79c5b38
parentc28cdcc9bf5df9ed6479881a1fc4124a7b7a2676 (diff)
parent454bdb22eeb4637a8bb5e40deb8454311f4ba4a2 (diff)
downloadtor-a1d9f44971f2442a41a4d5fbed5aba28d872e15b.tar.gz
tor-a1d9f44971f2442a41a4d5fbed5aba28d872e15b.zip
Merge branch 'maint-0.4.0'
-rw-r--r--changes/bug300415
-rw-r--r--src/core/mainloop/connection.c4
-rw-r--r--src/lib/buf/buffers.c11
3 files changed, 18 insertions, 2 deletions
diff --git a/changes/bug30041 b/changes/bug30041
new file mode 100644
index 0000000000..801c8f67ac
--- /dev/null
+++ b/changes/bug30041
@@ -0,0 +1,5 @@
+ o Minor bugfixes (hardening):
+ - Verify in more places that we are not about to create a buffer
+ with more than INT_MAX bytes, to avoid possible OOB access in the event
+ of bugs. Fixes bug 30041; bugfix on 0.2.0.16. Found and fixed by
+ Tobias Stoeckmann.
diff --git a/src/core/mainloop/connection.c b/src/core/mainloop/connection.c
index a56e7f9e0a..51c19b4c4c 100644
--- a/src/core/mainloop/connection.c
+++ b/src/core/mainloop/connection.c
@@ -3789,6 +3789,10 @@ connection_buf_read_from_socket(connection_t *conn, ssize_t *max_to_read,
if (conn->linked_conn) {
result = buf_move_to_buf(conn->inbuf, conn->linked_conn->outbuf,
&conn->linked_conn->outbuf_flushlen);
+ if (BUG(result<0)) {
+ log_warn(LD_BUG, "reading from linked connection buffer failed.");
+ return -1;
+ }
} else {
result = 0;
}
diff --git a/src/lib/buf/buffers.c b/src/lib/buf/buffers.c
index e7a3b87df0..88a25b8470 100644
--- a/src/lib/buf/buffers.c
+++ b/src/lib/buf/buffers.c
@@ -283,7 +283,7 @@ buf_t *
buf_new_with_data(const char *cp, size_t sz)
{
/* Validate arguments */
- if (!cp || sz <= 0) {
+ if (!cp || sz <= 0 || sz >= INT_MAX) {
return NULL;
}
@@ -657,7 +657,7 @@ buf_move_to_buf(buf_t *buf_out, buf_t *buf_in, size_t *buf_flushlen)
char b[4096];
size_t cp, len;
- if (BUG(buf_out->datalen >= INT_MAX))
+ if (BUG(buf_out->datalen >= INT_MAX || *buf_flushlen >= INT_MAX))
return -1;
if (BUG(buf_out->datalen >= INT_MAX - *buf_flushlen))
return -1;
@@ -689,6 +689,10 @@ buf_move_all(buf_t *buf_out, buf_t *buf_in)
tor_assert(buf_out);
if (!buf_in)
return;
+ if (BUG(buf_out->datalen >= INT_MAX || buf_in->datalen >= INT_MAX))
+ return;
+ if (BUG(buf_out->datalen >= INT_MAX - buf_in->datalen))
+ return;
if (buf_out->head == NULL) {
buf_out->head = buf_in->head;
@@ -756,6 +760,7 @@ buf_find_pos_of_char(char ch, buf_pos_t *out)
static inline int
buf_pos_inc(buf_pos_t *pos)
{
+ tor_assert(pos->pos < INT_MAX - 1);
++pos->pos;
if (pos->pos == (off_t)pos->chunk->datalen) {
if (!pos->chunk->next)
@@ -836,6 +841,7 @@ buf_find_offset_of_char(buf_t *buf, char ch)
{
chunk_t *chunk;
off_t offset = 0;
+ tor_assert(buf->datalen < INT_MAX);
for (chunk = buf->head; chunk; chunk = chunk->next) {
char *cp = memchr(chunk->data, ch, chunk->datalen);
if (cp)
@@ -905,6 +911,7 @@ buf_assert_ok(buf_t *buf)
for (ch = buf->head; ch; ch = ch->next) {
total += ch->datalen;
tor_assert(ch->datalen <= ch->memlen);
+ tor_assert(ch->datalen < INT_MAX);
tor_assert(ch->data >= &ch->mem[0]);
tor_assert(ch->data <= &ch->mem[0]+ch->memlen);
if (ch->data == &ch->mem[0]+ch->memlen) {