diff options
| author | Nick Mathewson <nickm@torproject.org> | 2019-02-21 10:08:14 -0500 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2019-02-21 10:08:14 -0500 |
| commit | 00a93b19cf0db9c0f47a48d55c658058f976ab93 (patch) | |
| tree | 83d78d7617a7e4a264e80f0f2a0ea53d0fdbc57f | |
| parent | df3484b2b01835c075b57c30b2ea3ac260ee157c (diff) | |
| parent | 4a8a1f76ea6cbde128f2cda49049866ea739931d (diff) | |
| download | tor-00a93b19cf0db9c0f47a48d55c658058f976ab93.tar.gz tor-00a93b19cf0db9c0f47a48d55c658058f976ab93.zip | |
Merge branch 'maint-0.3.5' into maint-0.4.0
| -rw-r--r-- | changes/ticket29168 | 5 | ||||
| -rw-r--r-- | src/core/or/scheduler_kist.c | 2 |
2 files changed, 6 insertions, 1 deletions
diff --git a/changes/ticket29168 b/changes/ticket29168 new file mode 100644 index 0000000000..65c5232f65 --- /dev/null +++ b/changes/ticket29168 @@ -0,0 +1,5 @@ + o Major bugfixes (cell scheduler, KIST): + - Make KIST to always take into account the outbuf length when computing + what we can actually put in the outbuf. This could lead to the outbuf + being filled up and thus a possible memory DoS vector. TROVE-2019-001. + Fixes bug 29168; bugfix on 0.3.2.1-alpha. diff --git a/src/core/or/scheduler_kist.c b/src/core/or/scheduler_kist.c index 01be751ad2..1ec1c49c73 100644 --- a/src/core/or/scheduler_kist.c +++ b/src/core/or/scheduler_kist.c @@ -286,7 +286,7 @@ update_socket_info_impl, (socket_table_ent_t *ent)) extra_space = clamp_double_to_int64( (ent->cwnd * (int64_t)ent->mss) * sock_buf_size_factor) - - ent->notsent; + ent->notsent - (int64_t)channel_outbuf_length((channel_t *) ent->chan); if ((tcp_space + extra_space) < 0) { /* This means that the "notsent" queue is just too big so we shouldn't put * more in the kernel for now. */ |