• Tobias Stoeckmann's avatar
    Prevent UB on signed overflow. · 0d4a689d
    Tobias Stoeckmann authored and Nick Mathewson's avatar Nick Mathewson committed
    Overflowing a signed integer in C is an undefined behaviour.
    It is possible to trigger this undefined behaviour in tor_asprintf on
    Windows or systems lacking vasprintf.
    On these systems, eiter _vscprintf or vsnprintf is called to retrieve
    the required amount of bytes to hold the string. These functions can
    return INT_MAX. The easiest way to recreate this is the use of a
    specially crafted configuration file, e.g. containing the line:
    FirewallPorts AAAAA<in total 2147483610 As>
    This line triggers the needed tor_asprintf call which eventually
    leads to an INT_MAX return value from _vscprintf or vsnprintf.
    The needed byte for \0 is added to the result, triggering the
    overflow and therefore the undefined behaviour.
    Casting the value to size_t before addition fixes the behaviour.
    Signed-off-by: default avatarTobias Stoeckmann <tobias@stoeckmann.org>