diff options
author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2019-03-31 17:32:41 +0200 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2019-04-09 12:05:14 -0400 |
commit | 5a6ab3e7dbf601ae3cc006855f7f4e6c834cbeb2 (patch) | |
tree | 1e7928591d803a45c9fe9c1e50d74d6c8fbcfc30 | |
parent | 48e990359b05661f2dd0ae503143ee9b18442475 (diff) | |
download | tor-5a6ab3e7dbf601ae3cc006855f7f4e6c834cbeb2.tar.gz tor-5a6ab3e7dbf601ae3cc006855f7f4e6c834cbeb2.zip |
Protect buffers against INT_MAX datalen overflows.
Many buffer functions have a hard limit of INT_MAX for datalen, but
this limitation is not enforced in all functions:
- buf_move_all may exceed that limit with too many chunks
- buf_move_to_buf exceeds that limit with invalid buf_flushlen argument
- buf_new_with_data may exceed that limit (unit tests only)
This patch adds some annotations in some buf_pos_t functions to
guarantee that no out of boundary access could occur even if another
function lacks safe guards against datalen overflows.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-rw-r--r-- | src/common/buffers.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/src/common/buffers.c b/src/common/buffers.c index a01add9bef..3951877c5e 100644 --- a/src/common/buffers.c +++ b/src/common/buffers.c @@ -273,7 +273,7 @@ buf_t * buf_new_with_data(const char *cp, size_t sz) { /* Validate arguments */ - if (!cp || sz <= 0) { + if (!cp || sz <= 0 || sz >= INT_MAX) { return NULL; } @@ -818,7 +818,7 @@ buf_move_to_buf(buf_t *buf_out, buf_t *buf_in, size_t *buf_flushlen) char b[4096]; size_t cp, len; - if (BUG(buf_out->datalen >= INT_MAX)) + if (BUG(buf_out->datalen >= INT_MAX || *buf_flushlen >= INT_MAX)) return -1; if (BUG(buf_out->datalen >= INT_MAX - *buf_flushlen)) return -1; @@ -850,6 +850,10 @@ buf_move_all(buf_t *buf_out, buf_t *buf_in) tor_assert(buf_out); if (!buf_in) return; + if (BUG(buf_out->datalen >= INT_MAX || buf_in->datalen >= INT_MAX)) + return; + if (BUG(buf_out->datalen >= INT_MAX - buf_in->datalen)) + return; if (buf_out->head == NULL) { buf_out->head = buf_in->head; @@ -917,6 +921,7 @@ buf_find_pos_of_char(char ch, buf_pos_t *out) static inline int buf_pos_inc(buf_pos_t *pos) { + tor_assert(pos->pos < INT_MAX - 1); ++pos->pos; if (pos->pos == (off_t)pos->chunk->datalen) { if (!pos->chunk->next) @@ -997,6 +1002,7 @@ buf_find_offset_of_char(buf_t *buf, char ch) { chunk_t *chunk; off_t offset = 0; + tor_assert(buf->datalen < INT_MAX); for (chunk = buf->head; chunk; chunk = chunk->next) { char *cp = memchr(chunk->data, ch, chunk->datalen); if (cp) @@ -1125,6 +1131,7 @@ buf_assert_ok(buf_t *buf) for (ch = buf->head; ch; ch = ch->next) { total += ch->datalen; tor_assert(ch->datalen <= ch->memlen); + tor_assert(ch->datalen < INT_MAX); tor_assert(ch->data >= &ch->mem[0]); tor_assert(ch->data <= &ch->mem[0]+ch->memlen); if (ch->data == &ch->mem[0]+ch->memlen) { |