From fd3e0c154236c59c2972b549500675980bb02507 Mon Sep 17 00:00:00 2001 From: cypherpunks Date: Tue, 3 Mar 2020 07:01:05 +0000 Subject: core/mainloop: Limit growth of conn->inbuf If the buf_t's length could potentially become greater than INT_MAX - 1, it sets off an IF_BUG_ONCE in buf_read_from_tls(). All of the rest of the buffers.c code has similar BUG/asserts for this invariant. --- src/core/mainloop/connection.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'src/core') diff --git a/src/core/mainloop/connection.c b/src/core/mainloop/connection.c index 3595bba85c..3c8527dd53 100644 --- a/src/core/mainloop/connection.c +++ b/src/core/mainloop/connection.c @@ -3684,6 +3684,15 @@ connection_buf_read_from_socket(connection_t *conn, ssize_t *max_to_read, at_most = connection_bucket_read_limit(conn, approx_time()); } + /* Do not allow inbuf to grow past INT_MAX - 1. */ + const ssize_t maximum = INT_MAX - 1 - buf_datalen(conn->inbuf); + if (at_most > maximum) { + log_debug(LD_NET, "%d: inbuf_datalen=%"TOR_PRIuSZ", adding %" + TOR_PRIdSZ" might overflow.", + (int)conn->s, buf_datalen(conn->inbuf), at_most); + at_most = maximum; + } + slack_in_buf = buf_slack(conn->inbuf); again: if ((size_t)at_most > slack_in_buf && slack_in_buf >= 1024) { -- cgit v1.2.3-54-g00ecf From 84fe1c891bc77a2363a119f3c7dc834127bcacc7 Mon Sep 17 00:00:00 2001 From: cypherpunks Date: Thu, 12 Mar 2020 19:55:12 +0000 Subject: core/mainloop: remove noisy logging --- src/core/mainloop/connection.c | 3 --- 1 file changed, 3 deletions(-) (limited to 'src/core') diff --git a/src/core/mainloop/connection.c b/src/core/mainloop/connection.c index 3c8527dd53..218873ae66 100644 --- a/src/core/mainloop/connection.c +++ b/src/core/mainloop/connection.c @@ -3687,9 +3687,6 @@ connection_buf_read_from_socket(connection_t *conn, ssize_t *max_to_read, /* Do not allow inbuf to grow past INT_MAX - 1. */ const ssize_t maximum = INT_MAX - 1 - buf_datalen(conn->inbuf); if (at_most > maximum) { - log_debug(LD_NET, "%d: inbuf_datalen=%"TOR_PRIuSZ", adding %" - TOR_PRIdSZ" might overflow.", - (int)conn->s, buf_datalen(conn->inbuf), at_most); at_most = maximum; } -- cgit v1.2.3-54-g00ecf From f46b9320ae32f00aa97a397b33eaa7abdcb47fe3 Mon Sep 17 00:00:00 2001 From: cypherpunks Date: Thu, 12 Mar 2020 16:02:00 +0000 Subject: buf: add BUF_MAX_LEN --- src/core/mainloop/connection.c | 4 ++-- src/lib/buf/buffers.h | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) (limited to 'src/core') diff --git a/src/core/mainloop/connection.c b/src/core/mainloop/connection.c index 708fb13cdb..f692da650d 100644 --- a/src/core/mainloop/connection.c +++ b/src/core/mainloop/connection.c @@ -3804,8 +3804,8 @@ connection_buf_read_from_socket(connection_t *conn, ssize_t *max_to_read, at_most = connection_bucket_read_limit(conn, approx_time()); } - /* Do not allow inbuf to grow past INT_MAX - 1. */ - const ssize_t maximum = INT_MAX - 1 - buf_datalen(conn->inbuf); + /* Do not allow inbuf to grow past BUF_MAX_LEN. */ + const ssize_t maximum = BUF_MAX_LEN - buf_datalen(conn->inbuf); if (at_most > maximum) { at_most = maximum; } diff --git a/src/lib/buf/buffers.h b/src/lib/buf/buffers.h index fadd4174c0..d8a77feb72 100644 --- a/src/lib/buf/buffers.h +++ b/src/lib/buf/buffers.h @@ -29,6 +29,9 @@ void buf_free_(buf_t *buf); void buf_clear(buf_t *buf); buf_t *buf_copy(const buf_t *buf); +/** Maximum bytes in a buffer, inclusive. */ +#define BUF_MAX_LEN (INT_MAX - 1) + MOCK_DECL(size_t, buf_datalen, (const buf_t *buf)); size_t buf_allocation(const buf_t *buf); size_t buf_slack(const buf_t *buf); -- cgit v1.2.3-54-g00ecf