Merge remote branch fix_security_bug_021 into fix_security_bug_022

Conflicts:
	src/common/memarea.c
	src/or/or.h
	src/or/rendclient.c

7 files changed, 43 insertions, 19 deletions

diff --git a/src/common/compat.c b/src/common/compat.c
index 4d556a85e6..8ec4221b22 100644
--- a/src/common/compat.c
+++ b/src/common/compat.c
@@ -126,6 +126,7 @@ tor_mmap_file(const char *filename)
     return NULL;
   }
 
+  /* XXXX why not just do fstat here? */
   size = filesize = (size_t) lseek(fd, 0, SEEK_END);
   lseek(fd, 0, SEEK_SET);
   /* ensure page alignment */
@@ -299,7 +300,7 @@ tor_vsnprintf(char *str, size_t size, const char *format, va_list args)
   int r;
   if (size == 0)
     return -1; /* no place for the NUL */
-  if (size > SSIZE_T_MAX-16)
+  if (size > SIZE_T_CEILING)
     return -1;
 #ifdef MS_WINDOWS
   r = _vsnprintf(str, size, format, args);
@@ -560,7 +561,7 @@ tor_fix_source_file(const char *fname)
  * unaligned memory access.
  */
 uint16_t
-get_uint16(const char *cp)
+get_uint16(const void *cp)
 {
   uint16_t v;
   memcpy(&v,cp,2);
@@ -572,7 +573,7 @@ get_uint16(const char *cp)
  * unaligned memory access.
  */
 uint32_t
-get_uint32(const char *cp)
+get_uint32(const void *cp)
 {
   uint32_t v;
   memcpy(&v,cp,4);
@@ -584,7 +585,7 @@ get_uint32(const char *cp)
  * unaligned memory access.
  */
 uint64_t
-get_uint64(const char *cp)
+get_uint64(const void *cp)
 {
   uint64_t v;
   memcpy(&v,cp,8);
@@ -596,7 +597,7 @@ get_uint64(const char *cp)
  * *(uint16_t*)(cp) = v, but will not cause segfaults on platforms that forbid
  * unaligned memory access. */
 void
-set_uint16(char *cp, uint16_t v)
+set_uint16(void *cp, uint16_t v)
 {
   memcpy(cp,&v,2);
 }
@@ -605,7 +606,7 @@ set_uint16(char *cp, uint16_t v)
  * *(uint32_t*)(cp) = v, but will not cause segfaults on platforms that forbid
  * unaligned memory access. */
 void
-set_uint32(char *cp, uint32_t v)
+set_uint32(void *cp, uint32_t v)
 {
   memcpy(cp,&v,4);
 }
@@ -614,7 +615,7 @@ set_uint32(char *cp, uint32_t v)
  * *(uint64_t*)(cp) = v, but will not cause segfaults on platforms that forbid
  * unaligned memory access. */
 void
-set_uint64(char *cp, uint64_t v)
+set_uint64(void *cp, uint64_t v)
 {
   memcpy(cp,&v,8);
 }
diff --git a/src/common/compat.h b/src/common/compat.h
index 449bf748f4..03e0686e8d 100644
--- a/src/common/compat.h
+++ b/src/common/compat.h
@@ -488,18 +488,18 @@ long tor_weak_random(void);
 /* ===== OS compatibility */
 const char *get_uname(void);
 
-uint16_t get_uint16(const char *cp) ATTR_PURE ATTR_NONNULL((1));
-uint32_t get_uint32(const char *cp) ATTR_PURE ATTR_NONNULL((1));
-uint64_t get_uint64(const char *cp) ATTR_PURE ATTR_NONNULL((1));
-void set_uint16(char *cp, uint16_t v) ATTR_NONNULL((1));
-void set_uint32(char *cp, uint32_t v) ATTR_NONNULL((1));
-void set_uint64(char *cp, uint64_t v) ATTR_NONNULL((1));
+uint16_t get_uint16(const void *cp) ATTR_PURE ATTR_NONNULL((1));
+uint32_t get_uint32(const void *cp) ATTR_PURE ATTR_NONNULL((1));
+uint64_t get_uint64(const void *cp) ATTR_PURE ATTR_NONNULL((1));
+void set_uint16(void *cp, uint16_t v) ATTR_NONNULL((1));
+void set_uint32(void *cp, uint32_t v) ATTR_NONNULL((1));
+void set_uint64(void *cp, uint64_t v) ATTR_NONNULL((1));
 
 /* These uint8 variants are defined to make the code more uniform. */
 #define get_uint8(cp) (*(const uint8_t*)(cp))
-static void set_uint8(char *cp, uint8_t v);
+static void set_uint8(void *cp, uint8_t v);
 static INLINE void
-set_uint8(char *cp, uint8_t v)
+set_uint8(void *cp, uint8_t v)
 {
   *(uint8_t*)cp = v;
 }
diff --git a/src/common/crypto.c b/src/common/crypto.c
index 81a432d8d4..e030c56064 100644
--- a/src/common/crypto.c
+++ b/src/common/crypto.c
@@ -901,6 +901,8 @@ crypto_pk_public_checksig_digest(crypto_pk_env_t *env, const char *data,
   tor_assert(env);
   tor_assert(data);
   tor_assert(sig);
+  tor_assert(datalen < SIZE_T_CEILING);
+  tor_assert(siglen < SIZE_T_CEILING);
 
   if (crypto_digest(digest,data,datalen)<0) {
     log_warn(LD_BUG, "couldn't compute digest");
@@ -1001,6 +1003,7 @@ crypto_pk_public_hybrid_encrypt(crypto_pk_env_t *env,
   tor_assert(env);
   tor_assert(from);
   tor_assert(to);
+  tor_assert(fromlen < SIZE_T_CEILING);
 
   overhead = crypto_get_rsa_padding_overhead(crypto_get_rsa_padding(padding));
   pkeylen = crypto_pk_keysize(env);
@@ -1068,6 +1071,7 @@ crypto_pk_private_hybrid_decrypt(crypto_pk_env_t *env,
   crypto_cipher_env_t *cipher = NULL;
   char *buf = NULL;
 
+  tor_assert(fromlen < SIZE_T_CEILING);
   pkeylen = crypto_pk_keysize(env);
 
   if (fromlen <= pkeylen) {
@@ -1117,7 +1121,7 @@ crypto_pk_asn1_encode(crypto_pk_env_t *pk, char *dest, size_t dest_len)
   int len;
   unsigned char *buf, *cp;
   len = i2d_RSAPublicKey(pk->key, NULL);
-  if (len < 0 || (size_t)len > dest_len)
+  if (len < 0 || (size_t)len > dest_len || dest_len > SIZE_T_CEILING)
     return -1;
   cp = buf = tor_malloc(len+1);
   len = i2d_RSAPublicKey(pk->key, &cp);
@@ -1192,6 +1196,8 @@ add_spaces_to_fp(char *out, size_t outlen, const char *in)
 {
   int n = 0;
   char *end = out+outlen;
+  tor_assert(outlen < SIZE_T_CEILING);
+
   while (*in && out<end) {
     *out++ = *in++;
     if (++n == 4 && *in && out<end) {
@@ -1337,6 +1343,7 @@ crypto_cipher_encrypt(crypto_cipher_env_t *env, char *to,
   tor_assert(from);
   tor_assert(fromlen);
   tor_assert(to);
+  tor_assert(fromlen < SIZE_T_CEILING);
 
   aes_crypt(env->cipher, from, fromlen, to);
   return 0;
@@ -1353,6 +1360,7 @@ crypto_cipher_decrypt(crypto_cipher_env_t *env, char *to,
   tor_assert(env);
   tor_assert(from);
   tor_assert(to);
+  tor_assert(fromlen < SIZE_T_CEILING);
 
   aes_crypt(env->cipher, from, fromlen, to);
   return 0;
@@ -1364,6 +1372,7 @@ crypto_cipher_decrypt(crypto_cipher_env_t *env, char *to,
 int
 crypto_cipher_crypt_inplace(crypto_cipher_env_t *env, char *buf, size_t len)
 {
+  tor_assert(len < SIZE_T_CEILING);
   aes_crypt_inplace(env->cipher, buf, len);
   return 0;
 }
diff --git a/src/common/memarea.c b/src/common/memarea.c
index 77579e63be..dac15434c0 100644
--- a/src/common/memarea.c
+++ b/src/common/memarea.c
@@ -95,6 +95,7 @@ static memarea_chunk_t *freelist = NULL;
 static memarea_chunk_t *
 alloc_chunk(size_t sz, int freelist_ok)
 {
+  tor_assert(sz < SIZE_T_CEILING);
   if (freelist && freelist_ok) {
     memarea_chunk_t *res = freelist;
     freelist = res->next_chunk;
@@ -211,6 +212,7 @@ memarea_alloc(memarea_t *area, size_t sz)
   char *result;
   tor_assert(chunk);
   CHECK_SENTINEL(chunk);
+  tor_assert(sz < SIZE_T_CEILING);
   if (sz == 0)
     sz = 1;
   if (chunk->next_mem+sz > chunk->u.mem+chunk->mem_size) {
@@ -269,6 +271,7 @@ memarea_strndup(memarea_t *area, const char *s, size_t n)
   size_t ln;
   char *result;
   const char *cp, *end = s+n;
+  tor_assert(n < SIZE_T_CEILING);
   for (cp = s; cp < end && *cp; ++cp)
     ;
   /* cp now points to s+n, or to the 0 in the string. */
diff --git a/src/common/mempool.c b/src/common/mempool.c
index c795d83f0c..9d019d618e 100644
--- a/src/common/mempool.c
+++ b/src/common/mempool.c
@@ -357,6 +357,10 @@ mp_pool_new(size_t item_size, size_t chunk_capacity)
   mp_pool_t *pool;
   size_t alloc_size, new_chunk_cap;
 
+  tor_assert(item_size < SIZE_T_CEILING);
+  tor_assert(chunk_capacity < SIZE_T_CEILING);
+  tor_assert(SIZE_T_CEILING / item_size > chunk_capacity);
+
   pool = ALLOC(sizeof(mp_pool_t));
   CHECK_ALLOC(pool);
   memset(pool, 0, sizeof(mp_pool_t));
diff --git a/src/common/torint.h b/src/common/torint.h
index 57f18212ad..a57d501002 100644
--- a/src/common/torint.h
+++ b/src/common/torint.h
@@ -330,7 +330,7 @@ typedef uint32_t uintptr_t;
 #endif
 
 /* Any size_t larger than this amount is likely to be an underflow. */
-#define SIZE_T_CEILING (sizeof(char)<<(sizeof(size_t)*8 - 1))
+#define SIZE_T_CEILING (SSIZE_T_MAX-16)
 
 #endif /* __TORINT_H */
 
diff --git a/src/common/util.c b/src/common/util.c
index dafe12071f..d511872964 100644
--- a/src/common/util.c
+++ b/src/common/util.c
@@ -122,6 +122,8 @@ _tor_malloc(size_t size DMALLOC_PARAMS)
 {
   void *result;
 
+  tor_assert(size < SIZE_T_CEILING);
+
 #ifndef MALLOC_ZERO_WORKS
   /* Some libc mallocs don't work when size==0. Override them. */
   if (size==0) {
@@ -218,6 +220,7 @@ _tor_strndup(const char *s, size_t n DMALLOC_PARAMS)
 {
   char *dup;
   tor_assert(s);
+  tor_assert(n < SIZE_T_CEILING);
   dup = _tor_malloc((n+1) DMALLOC_FN_ARGS);
   /* Performance note: Ordinarily we prefer strlcpy to strncpy.  But
    * this function gets called a whole lot, and platform strncpy is
@@ -234,6 +237,7 @@ void *
 _tor_memdup(const void *mem, size_t len DMALLOC_PARAMS)
 {
   char *dup;
+  tor_assert(len < SIZE_T_CEILING);
   tor_assert(mem);
   dup = _tor_malloc(len DMALLOC_FN_ARGS);
   memcpy(dup, mem, len);
@@ -263,12 +267,15 @@ void *
 _tor_malloc_roundup(size_t *sizep DMALLOC_PARAMS)
 {
 #ifdef HAVE_MALLOC_GOOD_SIZE
+  tor_assert(*sizep < SIZE_T_CEILING);
   *sizep = malloc_good_size(*sizep);
   return _tor_malloc(*sizep DMALLOC_FN_ARGS);
 #elif 0 && defined(HAVE_MALLOC_USABLE_SIZE) && !defined(USE_DMALLOC)
   /* Never use malloc_usable_size(); it makes valgrind really unhappy,
    * and doesn't win much in terms of usable space where it exists. */
-  void *result = _tor_malloc(*sizep DMALLOC_FN_ARGS);
+  void *result;
+  tor_assert(*sizep < SIZE_T_CEILING);
+  result = _tor_malloc(*sizep DMALLOC_FN_ARGS);
   *sizep = malloc_usable_size(result);
   return result;
 #else
@@ -2131,7 +2138,7 @@ read_file_to_str(const char *filename, int flags, struct stat *stat_out)
     return NULL;
   }
 
-  if ((uint64_t)(statbuf.st_size)+1 > SIZE_T_MAX)
+  if ((uint64_t)(statbuf.st_size)+1 > SIZE_T_CEILING)
     return NULL;
 
   string = tor_malloc((size_t)(statbuf.st_size+1));