summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2016-01-28 22:04:24 -0500
committerNick Mathewson <nickm@torproject.org>2016-02-10 15:49:11 -0500
commit601b41084af1f941c4266237e2c6df46be8981dd (patch)
treed129ab85e26dc32babae37e8a03c42bc37d4a5c1
parenta5bed4dab2f8521f744d5137e4f439b073c7e5e9 (diff)
downloadtor-601b41084af1f941c4266237e2c6df46be8981dd.tar.gz
tor-601b41084af1f941c4266237e2c6df46be8981dd.zip
Bulletproof the safe_timer_diff function
Originally it can overflow in some weird cases. Now it should no longer be able to do so. Additionally, limit main's timers to 30 days rather than to 38 years; we don't actually want any 38-year timers. Closes bug 17682.
-rw-r--r--src/or/main.c14
1 files changed, 13 insertions, 1 deletions
diff --git a/src/or/main.c b/src/or/main.c
index bd4f7eaa71..30c24e5ca4 100644
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -1414,11 +1414,23 @@ reschedule_directory_downloads(void)
periodic_event_reschedule(launch_descriptor_fetches_event);
}
+#define LONGEST_TIMER_PERIOD (30 * 86400)
+/** Helper: Return the number of seconds between <b>now</b> and <b>next</b>,
+ * clipped to the range [1 second, LONGEST_TIMER_PERIOD]. */
static inline int
safe_timer_diff(time_t now, time_t next)
{
if (next > now) {
- tor_assert(next - now <= INT_MAX);
+ /* There were no computers at signed TIME_MIN (1902 on 32-bit systems),
+ * and nothing that could run Tor. It's a bug if 'next' is around then.
+ * On 64-bit systems with signed TIME_MIN, TIME_MIN is before the Big
+ * Bang. We cannot extrapolate past a singularity, but there was probably
+ * nothing that could run Tor then, either.
+ **/
+ tor_assert(next > TIME_MIN + LONGEST_TIMER_PERIOD);
+
+ if (next - LONGEST_TIMER_PERIOD > now)
+ return LONGEST_TIMER_PERIOD;
return (int)(next - now);
} else {
return 1;