aboutsummaryrefslogtreecommitdiff
path: root/src/common
diff options
context:
space:
mode:
authorRoger Dingledine <arma@torproject.org>2010-12-16 16:59:12 -0500
committerRoger Dingledine <arma@torproject.org>2010-12-16 16:59:12 -0500
commit975ffe439889300783e0607dd20fce550f418ff5 (patch)
tree52cd8a4410e5d69ecd627b7ad25d2973ba7d3362 /src/common
parent3c3b1d14fd1031c244c62fd16dac0dff53cb069f (diff)
parentb0def605a52b3acce1cb212f270b184d72f237f5 (diff)
downloadtor-975ffe439889300783e0607dd20fce550f418ff5.tar.gz
tor-975ffe439889300783e0607dd20fce550f418ff5.zip
Merge commit 'nickm/fix_security_bug_021' into maint-0.2.1
Diffstat (limited to 'src/common')
-rw-r--r--src/common/compat.c15
-rw-r--r--src/common/compat.h16
-rw-r--r--src/common/crypto.c11
-rw-r--r--src/common/memarea.c3
-rw-r--r--src/common/mempool.c4
-rw-r--r--src/common/torint.h2
-rw-r--r--src/common/util.c11
7 files changed, 43 insertions, 19 deletions
diff --git a/src/common/compat.c b/src/common/compat.c
index b2dab5c341..4cc8d99794 100644
--- a/src/common/compat.c
+++ b/src/common/compat.c
@@ -126,6 +126,7 @@ tor_mmap_file(const char *filename)
return NULL;
}
+ /* XXXX why not just do fstat here? */
size = filesize = (size_t) lseek(fd, 0, SEEK_END);
lseek(fd, 0, SEEK_SET);
/* ensure page alignment */
@@ -294,7 +295,7 @@ tor_vsnprintf(char *str, size_t size, const char *format, va_list args)
int r;
if (size == 0)
return -1; /* no place for the NUL */
- if (size > SSIZE_T_MAX-16)
+ if (size > SIZE_T_CEILING)
return -1;
#ifdef MS_WINDOWS
r = _vsnprintf(str, size, format, args);
@@ -430,7 +431,7 @@ tor_fix_source_file(const char *fname)
* unaligned memory access.
*/
uint16_t
-get_uint16(const char *cp)
+get_uint16(const void *cp)
{
uint16_t v;
memcpy(&v,cp,2);
@@ -442,7 +443,7 @@ get_uint16(const char *cp)
* unaligned memory access.
*/
uint32_t
-get_uint32(const char *cp)
+get_uint32(const void *cp)
{
uint32_t v;
memcpy(&v,cp,4);
@@ -454,7 +455,7 @@ get_uint32(const char *cp)
* unaligned memory access.
*/
uint64_t
-get_uint64(const char *cp)
+get_uint64(const void *cp)
{
uint64_t v;
memcpy(&v,cp,8);
@@ -466,7 +467,7 @@ get_uint64(const char *cp)
* *(uint16_t*)(cp) = v, but will not cause segfaults on platforms that forbid
* unaligned memory access. */
void
-set_uint16(char *cp, uint16_t v)
+set_uint16(void *cp, uint16_t v)
{
memcpy(cp,&v,2);
}
@@ -475,7 +476,7 @@ set_uint16(char *cp, uint16_t v)
* *(uint32_t*)(cp) = v, but will not cause segfaults on platforms that forbid
* unaligned memory access. */
void
-set_uint32(char *cp, uint32_t v)
+set_uint32(void *cp, uint32_t v)
{
memcpy(cp,&v,4);
}
@@ -484,7 +485,7 @@ set_uint32(char *cp, uint32_t v)
* *(uint64_t*)(cp) = v, but will not cause segfaults on platforms that forbid
* unaligned memory access. */
void
-set_uint64(char *cp, uint64_t v)
+set_uint64(void *cp, uint64_t v)
{
memcpy(cp,&v,8);
}
diff --git a/src/common/compat.h b/src/common/compat.h
index fbbbb3fc92..209d9fc38b 100644
--- a/src/common/compat.h
+++ b/src/common/compat.h
@@ -448,18 +448,18 @@ typedef enum {
/* ===== OS compatibility */
const char *get_uname(void);
-uint16_t get_uint16(const char *cp) ATTR_PURE ATTR_NONNULL((1));
-uint32_t get_uint32(const char *cp) ATTR_PURE ATTR_NONNULL((1));
-uint64_t get_uint64(const char *cp) ATTR_PURE ATTR_NONNULL((1));
-void set_uint16(char *cp, uint16_t v) ATTR_NONNULL((1));
-void set_uint32(char *cp, uint32_t v) ATTR_NONNULL((1));
-void set_uint64(char *cp, uint64_t v) ATTR_NONNULL((1));
+uint16_t get_uint16(const void *cp) ATTR_PURE ATTR_NONNULL((1));
+uint32_t get_uint32(const void *cp) ATTR_PURE ATTR_NONNULL((1));
+uint64_t get_uint64(const void *cp) ATTR_PURE ATTR_NONNULL((1));
+void set_uint16(void *cp, uint16_t v) ATTR_NONNULL((1));
+void set_uint32(void *cp, uint32_t v) ATTR_NONNULL((1));
+void set_uint64(void *cp, uint64_t v) ATTR_NONNULL((1));
/* These uint8 variants are defined to make the code more uniform. */
#define get_uint8(cp) (*(const uint8_t*)(cp))
-static void set_uint8(char *cp, uint8_t v);
+static void set_uint8(void *cp, uint8_t v);
static INLINE void
-set_uint8(char *cp, uint8_t v)
+set_uint8(void *cp, uint8_t v)
{
*(uint8_t*)cp = v;
}
diff --git a/src/common/crypto.c b/src/common/crypto.c
index 8aef4771c3..751a5b0c61 100644
--- a/src/common/crypto.c
+++ b/src/common/crypto.c
@@ -811,6 +811,8 @@ crypto_pk_public_checksig_digest(crypto_pk_env_t *env, const char *data,
tor_assert(env);
tor_assert(data);
tor_assert(sig);
+ tor_assert(datalen < SIZE_T_CEILING);
+ tor_assert(siglen < SIZE_T_CEILING);
if (crypto_digest(digest,data,datalen)<0) {
log_warn(LD_BUG, "couldn't compute digest");
@@ -911,6 +913,7 @@ crypto_pk_public_hybrid_encrypt(crypto_pk_env_t *env,
tor_assert(env);
tor_assert(from);
tor_assert(to);
+ tor_assert(fromlen < SIZE_T_CEILING);
overhead = crypto_get_rsa_padding_overhead(crypto_get_rsa_padding(padding));
pkeylen = crypto_pk_keysize(env);
@@ -978,6 +981,7 @@ crypto_pk_private_hybrid_decrypt(crypto_pk_env_t *env,
crypto_cipher_env_t *cipher = NULL;
char *buf = NULL;
+ tor_assert(fromlen < SIZE_T_CEILING);
pkeylen = crypto_pk_keysize(env);
if (fromlen <= pkeylen) {
@@ -1027,7 +1031,7 @@ crypto_pk_asn1_encode(crypto_pk_env_t *pk, char *dest, size_t dest_len)
int len;
unsigned char *buf, *cp;
len = i2d_RSAPublicKey(pk->key, NULL);
- if (len < 0 || (size_t)len > dest_len)
+ if (len < 0 || (size_t)len > dest_len || dest_len > SIZE_T_CEILING)
return -1;
cp = buf = tor_malloc(len+1);
len = i2d_RSAPublicKey(pk->key, &cp);
@@ -1102,6 +1106,8 @@ add_spaces_to_fp(char *out, size_t outlen, const char *in)
{
int n = 0;
char *end = out+outlen;
+ tor_assert(outlen < SIZE_T_CEILING);
+
while (*in && out<end) {
*out++ = *in++;
if (++n == 4 && *in && out<end) {
@@ -1252,6 +1258,7 @@ crypto_cipher_encrypt(crypto_cipher_env_t *env, char *to,
tor_assert(from);
tor_assert(fromlen);
tor_assert(to);
+ tor_assert(fromlen < SIZE_T_CEILING);
aes_crypt(env->cipher, from, fromlen, to);
return 0;
@@ -1268,6 +1275,7 @@ crypto_cipher_decrypt(crypto_cipher_env_t *env, char *to,
tor_assert(env);
tor_assert(from);
tor_assert(to);
+ tor_assert(fromlen < SIZE_T_CEILING);
aes_crypt(env->cipher, from, fromlen, to);
return 0;
@@ -1279,6 +1287,7 @@ crypto_cipher_decrypt(crypto_cipher_env_t *env, char *to,
int
crypto_cipher_crypt_inplace(crypto_cipher_env_t *env, char *buf, size_t len)
{
+ tor_assert(len < SIZE_T_CEILING);
aes_crypt_inplace(env->cipher, buf, len);
return 0;
}
diff --git a/src/common/memarea.c b/src/common/memarea.c
index 9d908bae50..edd7bbe9ef 100644
--- a/src/common/memarea.c
+++ b/src/common/memarea.c
@@ -73,6 +73,7 @@ static memarea_chunk_t *freelist = NULL;
static memarea_chunk_t *
alloc_chunk(size_t sz, int freelist_ok)
{
+ tor_assert(sz < SIZE_T_CEILING);
if (freelist && freelist_ok) {
memarea_chunk_t *res = freelist;
freelist = res->next_chunk;
@@ -182,6 +183,7 @@ memarea_alloc(memarea_t *area, size_t sz)
memarea_chunk_t *chunk = area->first;
char *result;
tor_assert(chunk);
+ tor_assert(sz < SIZE_T_CEILING);
if (sz == 0)
sz = 1;
if (chunk->next_mem+sz > chunk->u.mem+chunk->mem_size) {
@@ -240,6 +242,7 @@ memarea_strndup(memarea_t *area, const char *s, size_t n)
size_t ln;
char *result;
const char *cp, *end = s+n;
+ tor_assert(n < SIZE_T_CEILING);
for (cp = s; cp < end && *cp; ++cp)
;
/* cp now points to s+n, or to the 0 in the string. */
diff --git a/src/common/mempool.c b/src/common/mempool.c
index 256388a9fd..1f79221b48 100644
--- a/src/common/mempool.c
+++ b/src/common/mempool.c
@@ -357,6 +357,10 @@ mp_pool_new(size_t item_size, size_t chunk_capacity)
mp_pool_t *pool;
size_t alloc_size, new_chunk_cap;
+ tor_assert(item_size < SIZE_T_CEILING);
+ tor_assert(chunk_capacity < SIZE_T_CEILING);
+ tor_assert(SIZE_T_CEILING / item_size > chunk_capacity);
+
pool = ALLOC(sizeof(mp_pool_t));
CHECK_ALLOC(pool);
memset(pool, 0, sizeof(mp_pool_t));
diff --git a/src/common/torint.h b/src/common/torint.h
index d9722868d2..665b0b4c71 100644
--- a/src/common/torint.h
+++ b/src/common/torint.h
@@ -331,7 +331,7 @@ typedef uint32_t uintptr_t;
#endif
/* Any size_t larger than this amount is likely to be an underflow. */
-#define SIZE_T_CEILING (sizeof(char)<<(sizeof(size_t)*8 - 1))
+#define SIZE_T_CEILING (SSIZE_T_MAX-16)
#endif /* __TORINT_H */
diff --git a/src/common/util.c b/src/common/util.c
index 34bb9cc376..0571a532cd 100644
--- a/src/common/util.c
+++ b/src/common/util.c
@@ -115,6 +115,8 @@ _tor_malloc(size_t size DMALLOC_PARAMS)
{
void *result;
+ tor_assert(size < SIZE_T_CEILING);
+
#ifndef MALLOC_ZERO_WORKS
/* Some libc mallocs don't work when size==0. Override them. */
if (size==0) {
@@ -211,6 +213,7 @@ _tor_strndup(const char *s, size_t n DMALLOC_PARAMS)
{
char *dup;
tor_assert(s);
+ tor_assert(n < SIZE_T_CEILING);
dup = _tor_malloc((n+1) DMALLOC_FN_ARGS);
/* Performance note: Ordinarily we prefer strlcpy to strncpy. But
* this function gets called a whole lot, and platform strncpy is
@@ -227,6 +230,7 @@ void *
_tor_memdup(const void *mem, size_t len DMALLOC_PARAMS)
{
char *dup;
+ tor_assert(len < SIZE_T_CEILING);
tor_assert(mem);
dup = _tor_malloc(len DMALLOC_FN_ARGS);
memcpy(dup, mem, len);
@@ -256,12 +260,15 @@ void *
_tor_malloc_roundup(size_t *sizep DMALLOC_PARAMS)
{
#ifdef HAVE_MALLOC_GOOD_SIZE
+ tor_assert(*sizep < SIZE_T_CEILING);
*sizep = malloc_good_size(*sizep);
return _tor_malloc(*sizep DMALLOC_FN_ARGS);
#elif 0 && defined(HAVE_MALLOC_USABLE_SIZE) && !defined(USE_DMALLOC)
/* Never use malloc_usable_size(); it makes valgrind really unhappy,
* and doesn't win much in terms of usable space where it exists. */
- void *result = _tor_malloc(*sizep DMALLOC_FN_ARGS);
+ void *result;
+ tor_assert(*sizep < SIZE_T_CEILING);
+ result = _tor_malloc(*sizep DMALLOC_FN_ARGS);
*sizep = malloc_usable_size(result);
return result;
#else
@@ -1927,7 +1934,7 @@ read_file_to_str(const char *filename, int flags, struct stat *stat_out)
return NULL;
}
- if ((uint64_t)(statbuf.st_size)+1 > SIZE_T_MAX)
+ if ((uint64_t)(statbuf.st_size)+1 > SIZE_T_CEILING)
return NULL;
string = tor_malloc((size_t)(statbuf.st_size+1));