From 71ee53fe9bdf3f64eef9b38de55960185e8be1b5 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Tue, 3 Mar 2015 22:20:17 +0100 Subject: Do not leave empty, invalid chunks in buffers during buf_pullup This fixes an assertion failure bug in 15083; bugfix on 0.2.0.10-alpha. Patch from 'cypherpunks' --- changes/bug15083 | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 changes/bug15083 (limited to 'changes') diff --git a/changes/bug15083 b/changes/bug15083 new file mode 100644 index 0000000000..98d1d0e535 --- /dev/null +++ b/changes/bug15083 @@ -0,0 +1,6 @@ + o Major bugfixes (relay, stability): + - Fix a bug that could lead to a relay crashing with an assertion + failure if a buffer of exactly the wrong layout was passed + to buf_pullup() at exactly the wrong time. Fixes bug 15083; + bugfix on 0.2.0.10-alpha. Patch from 'cypherpunks'. + -- cgit v1.2.3-54-g00ecf From 81a994ce77038721df3aa2f77b783db9a52da79e Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Tue, 3 Mar 2015 22:25:26 +0100 Subject: Make the assert related to 15083 a tiny bit more tolerant --- changes/bug15083 | 6 +++++- src/or/buffers.c | 9 ++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) (limited to 'changes') diff --git a/changes/bug15083 b/changes/bug15083 index 98d1d0e535..2bd0715dfc 100644 --- a/changes/bug15083 +++ b/changes/bug15083 @@ -3,4 +3,8 @@ failure if a buffer of exactly the wrong layout was passed to buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on 0.2.0.10-alpha. Patch from 'cypherpunks'. - + + - Do not assert if the 'data' pointer on a buffer is advanced to the very + end of the buffer; log a BUG message instead. Only assert if it is + past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha. + diff --git a/src/or/buffers.c b/src/or/buffers.c index 7976432793..9dfed007da 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -2483,7 +2483,14 @@ assert_buf_ok(buf_t *buf) total += ch->datalen; tor_assert(ch->datalen <= ch->memlen); tor_assert(ch->data >= &ch->mem[0]); - tor_assert(ch->data < &ch->mem[0]+ch->memlen); + tor_assert(ch->data <= &ch->mem[0]+ch->memlen); + if (ch->data == &ch->mem[0]+ch->memlen) { + static int warned = 0; + if (! warned) { + log_warn(LD_BUG, "Invariant violation in buf.c related to #15083"); + warned = 1; + } + } tor_assert(ch->data+ch->datalen <= &ch->mem[0] + ch->memlen); if (!ch->next) tor_assert(ch == buf->tail); -- cgit v1.2.3-54-g00ecf From addffcc14ddf40b3cd1bff3fa86a82354e981a03 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 9 Mar 2015 11:07:50 -0400 Subject: Adjust changes header --- changes/bug15083 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'changes') diff --git a/changes/bug15083 b/changes/bug15083 index 2bd0715dfc..5cc79b5ba1 100644 --- a/changes/bug15083 +++ b/changes/bug15083 @@ -1,4 +1,4 @@ - o Major bugfixes (relay, stability): + o Major bugfixes (relay, stability, possible security): - Fix a bug that could lead to a relay crashing with an assertion failure if a buffer of exactly the wrong layout was passed to buf_pullup() at exactly the wrong time. Fixes bug 15083; -- cgit v1.2.3-54-g00ecf