core/mainloop: Limit growth of conn->inbuf

If the buf_t's length could potentially become greater than INT_MAX - 1, it sets off an IF_BUG_ONCE in buf_read_from_tls(). All of the rest of the buffers.c code has similar BUG/asserts for this invariant.
author: cypherpunks <cypherpunks@torproject.org> 2020-03-03 07:01:05 +0000
committer: cypherpunks <cypherpunks@torproject.org> 2020-03-24 05:19:24 +0000
commit: fd3e0c154236c59c2972b549500675980bb02507 (patch)
tree: d2b0fede6c65721d2976a612fa61ee613790dd68 /src/core/mainloop
parent: b9c7c61ea5233854ff83257a8bc530b7e0a50351 (diff)
download: tor-fd3e0c154236c59c2972b549500675980bb02507.tar.gz
tor-fd3e0c154236c59c2972b549500675980bb02507.zip
1 files changed, 9 insertions, 0 deletions
diff --git a/src/core/mainloop/connection.c b/src/core/mainloop/connection.c
index 3595bba85c..3c8527dd53 100644
--- a/src/core/mainloop/connection.c
+++ b/src/core/mainloop/connection.c
@@ -3684,6 +3684,15 @@ connection_buf_read_from_socket(connection_t *conn, ssize_t *max_to_read,
     at_most = connection_bucket_read_limit(conn, approx_time());
   }
 
+  /* Do not allow inbuf to grow past INT_MAX - 1. */
+  const ssize_t maximum = INT_MAX - 1 - buf_datalen(conn->inbuf);
+  if (at_most > maximum) {
+    log_debug(LD_NET, "%d: inbuf_datalen=%"TOR_PRIuSZ", adding %"
+              TOR_PRIdSZ" might overflow.",
+              (int)conn->s, buf_datalen(conn->inbuf), at_most);
+    at_most = maximum;
+  }
+
   slack_in_buf = buf_slack(conn->inbuf);
  again:
   if ((size_t)at_most > slack_in_buf && slack_in_buf >= 1024) {
author	cypherpunks <cypherpunks@torproject.org>	2020-03-03 07:01:05 +0000
committer	cypherpunks <cypherpunks@torproject.org>	2020-03-24 05:19:24 +0000
commit	fd3e0c154236c59c2972b549500675980bb02507 (patch)
tree	d2b0fede6c65721d2976a612fa61ee613790dd68 /src/core/mainloop
parent	b9c7c61ea5233854ff83257a8bc530b7e0a50351 (diff)
download	tor-fd3e0c154236c59c2972b549500675980bb02507.tar.gz tor-fd3e0c154236c59c2972b549500675980bb02507.zip