diff options
author | Nick Mathewson <nickm@torproject.org> | 2010-12-13 18:40:21 -0500 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2010-12-13 18:40:21 -0500 |
commit | 785086cfbaf15a78a921f5589a76517b1d4840b1 (patch) | |
tree | 452b47f3da27025aea6193ba045a6e97a0851a65 /src/common/compat.c | |
parent | 649ee99846966c87350cd3282639326f8b4ee4af (diff) | |
download | tor-785086cfbaf15a78a921f5589a76517b1d4840b1.tar.gz tor-785086cfbaf15a78a921f5589a76517b1d4840b1.zip |
Have all of our allocation functions and a few others check for underflow
It's all too easy in C to convert an unsigned value to a signed one,
which will (on all modern computers) give you a huge signed value. If
you have a size_t value of size greater than SSIZE_T_MAX, that is way
likelier to be an underflow than it is to be an actual request for
more than 2gb of memory in one go. (There's nothing in Tor that
should be trying to allocate >2gb chunks.)
Diffstat (limited to 'src/common/compat.c')
-rw-r--r-- | src/common/compat.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/common/compat.c b/src/common/compat.c index b2dab5c341..e853bc7ef2 100644 --- a/src/common/compat.c +++ b/src/common/compat.c @@ -126,6 +126,7 @@ tor_mmap_file(const char *filename) return NULL; } + /* XXXX why not just do fstat here? */ size = filesize = (size_t) lseek(fd, 0, SEEK_END); lseek(fd, 0, SEEK_SET); /* ensure page alignment */ @@ -294,7 +295,7 @@ tor_vsnprintf(char *str, size_t size, const char *format, va_list args) int r; if (size == 0) return -1; /* no place for the NUL */ - if (size > SSIZE_T_MAX-16) + if (size > SIZE_T_CEILING) return -1; #ifdef MS_WINDOWS r = _vsnprintf(str, size, format, args); |