summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTobias Stoeckmann <tobias@stoeckmann.org>2019-03-31 17:33:11 +0200
committerNick Mathewson <nickm@torproject.org>2019-04-09 12:05:22 -0400
commita628e36024c4db6e5b178abe3a0b2784c0ab00ec (patch)
tree6e158792edb77bdca6ae4ae59e228b8d13cc2973
parent5a6ab3e7dbf601ae3cc006855f7f4e6c834cbeb2 (diff)
downloadtor-a628e36024c4db6e5b178abe3a0b2784c0ab00ec.tar.gz
tor-a628e36024c4db6e5b178abe3a0b2784c0ab00ec.zip
Check return value of buf_move_to_buf for error.
If the concatenation of connection buffer and the buffer of linked connection exceeds INT_MAX bytes, then buf_move_to_buf returns -1 as an error value. This value is currently casted to size_t (variable n_read) and will erroneously lead to an increasement of variable "max_to_read". This in turn can be used to call connection_buf_read_from_socket to store more data inside the buffer than expected and clogging the connection buffer. If the linked connection buffer was able to overflow INT_MAX, the call of buf_move_to_buf would have previously internally triggered an integer overflow, corrupting the state of the connection buffer. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-rw-r--r--src/or/connection.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/src/or/connection.c b/src/or/connection.c
index 0a2a635096..f18ef74536 100644
--- a/src/or/connection.c
+++ b/src/or/connection.c
@@ -3561,6 +3561,10 @@ connection_buf_read_from_socket(connection_t *conn, ssize_t *max_to_read,
if (conn->linked_conn) {
result = buf_move_to_buf(conn->inbuf, conn->linked_conn->outbuf,
&conn->linked_conn->outbuf_flushlen);
+ if (BUG(result<0)) {
+ log_warn(LD_BUG, "reading from linked connection buffer failed.");
+ return -1;
+ }
} else {
result = 0;
}