Sanity-check consensus param values

We need to make sure that the worst thing that a weird consensus param
can do to us is to break our Tor (and only if the other Tors are
reliably broken in the same way) so that the majority of directory
authorities can't pull any attacks that are worse than the DoS that
they can trigger by simply shutting down.

One of these worse things was the cbtnummodes parameter, which could
lead to heap corruption on some systems if the value was sufficiently
large.

This commit fixes this particular issue and also introduces sanity
checking for all consensus parameters.

1 files changed, 27 insertions, 1 deletions

diff --git a/src/or/or.h b/src/or/or.h
index cb36126d99..01ff5e89d5 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -765,6 +765,8 @@ typedef enum {
 /** Initial value for both sides of a circuit transmission window when the
  * circuit is initialized.  Measured in cells. */
 #define CIRCWINDOW_START 1000
+#define CIRCWINDOW_START_MIN 1
+#define CIRCWINDOW_START_MAX 100000
 /** Amount to increment a circuit window when we get a circuit SENDME. */
 #define CIRCWINDOW_INCREMENT 100
 /** Initial value on both sides of a stream transmission window when the
@@ -2942,6 +2944,11 @@ struct socks_request_t {
 
 /* Circuit Build Timeout "public" structures. */
 
+/** Precision multiplier for the Bw weights */
+#define BW_WEIGHT_SCALE   10000
+#define BW_MIN_WEIGHT_SCALE 1
+#define BW_MAX_WEIGHT_SCALE INT32_MAX
+
 /** Total size of the circuit timeout history to accumulate.
  * 1000 is approx 2.5 days worth of continual-use circuits. */
 #define CBT_NCIRCUITS_TO_OBSERVE 1000
@@ -2951,6 +2958,8 @@ struct socks_request_t {
 
 /** Number of modes to use in the weighted-avg computation of Xm */
 #define CBT_DEFAULT_NUM_XM_MODES 3
+#define CBT_MIN_NUM_XM_MODES 1
+#define CBT_MAX_NUM_XM_MODES 20
 
 /** A build_time_t is milliseconds */
 typedef uint32_t build_time_t;
@@ -2972,12 +2981,16 @@ typedef uint32_t build_time_t;
  * build in terms of CDF quantile.
  */
 #define CBT_DEFAULT_CLOSE_QUANTILE 95
+/* Minimum value derived from cbtquantile parameter. */
+#define CBT_MAX_CLOSE_QUANTILE 99
 
 /**
  * How many circuits count as recent when considering if the
  * connection has gone gimpy or changed.
  */
 #define CBT_DEFAULT_RECENT_CIRCUITS 20
+#define CBT_MIN_RECENT_CIRCUITS 3
+#define CBT_MAX_RECENT_CIRCUITS 1000
 
 /**
  * Maximum count of timeouts that finish the first hop in the past
@@ -2988,25 +3001,38 @@ typedef uint32_t build_time_t;
  * gives us.
  */
 #define CBT_DEFAULT_MAX_RECENT_TIMEOUT_COUNT (CBT_DEFAULT_RECENT_CIRCUITS*9/10)
+#define CBT_MIN_MAX_RECENT_TIMEOUT_COUNT 3
+#define CBT_MAX_MAX_RECENT_TIMEOUT_COUNT 10000
 
 /** Minimum circuits before estimating a timeout */
 #define CBT_DEFAULT_MIN_CIRCUITS_TO_OBSERVE 100
+#define CBT_MIN_MIN_CIRCUITS_TO_OBSERVE 1
+#define CBT_MAX_MIN_CIRCUITS_TO_OBSERVE 10000
 
 /** Cutoff percentile on the CDF for our timeout estimation. */
 #define CBT_DEFAULT_QUANTILE_CUTOFF 80
+#define CBT_MIN_QUANTILE_CUTOFF 10
+#define CBT_MAX_QUANTILE_CUTOFF 99
 double circuit_build_times_quantile_cutoff(void);
 
 /** How often in seconds should we build a test circuit */
 #define CBT_DEFAULT_TEST_FREQUENCY 60
+#define CBT_MIN_TEST_FREQUENCY 1
+#define CBT_MAX_TEST_FREQUENCY INT32_MAX
 
 /** Lowest allowable value for CircuitBuildTimeout in milliseconds */
 #define CBT_DEFAULT_TIMEOUT_MIN_VALUE (1500)
+#define CBT_MIN_TIMEOUT_MIN_VALUE 500
+#define CBT_MAX_TIMEOUT_MIN_VALUE INT32_MAX
 
 /** Initial circuit build timeout in milliseconds */
 #define CBT_DEFAULT_TIMEOUT_INITIAL_VALUE (60*1000)
+#define CBT_MAX_TIMEOUT_INITIAL_VALUE INT32_MAX
+/* CBT_MIN_TIMEOUT_INITIAL_VALUE dependent on
+ * circuit_build_times_min_timeout() */
 int32_t circuit_build_times_initial_timeout(void);
 
-#if CBT_DEFAULT_MAX_RECENT_TIMEOUT_COUNT < 1
+#if CBT_DEFAULT_MAX_RECENT_TIMEOUT_COUNT < CBT_MIN_MAX_RECENT_TIMEOUT_COUNT
 #error "RECENT_CIRCUITS is set too low."
 #endif