diff options
author | teor <teor@torproject.org> | 2019-04-10 18:27:11 +1000 |
---|---|---|
committer | teor <teor@torproject.org> | 2019-04-10 18:27:11 +1000 |
commit | a1d9f44971f2442a41a4d5fbed5aba28d872e15b (patch) | |
tree | d4f9c0979ff114fe30d76f05ff3cb9e2e79c5b38 /src | |
parent | c28cdcc9bf5df9ed6479881a1fc4124a7b7a2676 (diff) | |
parent | 454bdb22eeb4637a8bb5e40deb8454311f4ba4a2 (diff) | |
download | tor-a1d9f44971f2442a41a4d5fbed5aba28d872e15b.tar.gz tor-a1d9f44971f2442a41a4d5fbed5aba28d872e15b.zip |
Merge branch 'maint-0.4.0'
Diffstat (limited to 'src')
-rw-r--r-- | src/core/mainloop/connection.c | 4 | ||||
-rw-r--r-- | src/lib/buf/buffers.c | 11 |
2 files changed, 13 insertions, 2 deletions
diff --git a/src/core/mainloop/connection.c b/src/core/mainloop/connection.c index a56e7f9e0a..51c19b4c4c 100644 --- a/src/core/mainloop/connection.c +++ b/src/core/mainloop/connection.c @@ -3789,6 +3789,10 @@ connection_buf_read_from_socket(connection_t *conn, ssize_t *max_to_read, if (conn->linked_conn) { result = buf_move_to_buf(conn->inbuf, conn->linked_conn->outbuf, &conn->linked_conn->outbuf_flushlen); + if (BUG(result<0)) { + log_warn(LD_BUG, "reading from linked connection buffer failed."); + return -1; + } } else { result = 0; } diff --git a/src/lib/buf/buffers.c b/src/lib/buf/buffers.c index e7a3b87df0..88a25b8470 100644 --- a/src/lib/buf/buffers.c +++ b/src/lib/buf/buffers.c @@ -283,7 +283,7 @@ buf_t * buf_new_with_data(const char *cp, size_t sz) { /* Validate arguments */ - if (!cp || sz <= 0) { + if (!cp || sz <= 0 || sz >= INT_MAX) { return NULL; } @@ -657,7 +657,7 @@ buf_move_to_buf(buf_t *buf_out, buf_t *buf_in, size_t *buf_flushlen) char b[4096]; size_t cp, len; - if (BUG(buf_out->datalen >= INT_MAX)) + if (BUG(buf_out->datalen >= INT_MAX || *buf_flushlen >= INT_MAX)) return -1; if (BUG(buf_out->datalen >= INT_MAX - *buf_flushlen)) return -1; @@ -689,6 +689,10 @@ buf_move_all(buf_t *buf_out, buf_t *buf_in) tor_assert(buf_out); if (!buf_in) return; + if (BUG(buf_out->datalen >= INT_MAX || buf_in->datalen >= INT_MAX)) + return; + if (BUG(buf_out->datalen >= INT_MAX - buf_in->datalen)) + return; if (buf_out->head == NULL) { buf_out->head = buf_in->head; @@ -756,6 +760,7 @@ buf_find_pos_of_char(char ch, buf_pos_t *out) static inline int buf_pos_inc(buf_pos_t *pos) { + tor_assert(pos->pos < INT_MAX - 1); ++pos->pos; if (pos->pos == (off_t)pos->chunk->datalen) { if (!pos->chunk->next) @@ -836,6 +841,7 @@ buf_find_offset_of_char(buf_t *buf, char ch) { chunk_t *chunk; off_t offset = 0; + tor_assert(buf->datalen < INT_MAX); for (chunk = buf->head; chunk; chunk = chunk->next) { char *cp = memchr(chunk->data, ch, chunk->datalen); if (cp) @@ -905,6 +911,7 @@ buf_assert_ok(buf_t *buf) for (ch = buf->head; ch; ch = ch->next) { total += ch->datalen; tor_assert(ch->datalen <= ch->memlen); + tor_assert(ch->datalen < INT_MAX); tor_assert(ch->data >= &ch->mem[0]); tor_assert(ch->data <= &ch->mem[0]+ch->memlen); if (ch->data == &ch->mem[0]+ch->memlen) { |