Unverified Commit e3ba9b7a authored by teor's avatar teor
Browse files

Merge remote-tracking branch 'tor-github/pr/920' into maint-0.3.5

parents 519556ef c24928dd
o Minor bugfixes (hardening):
- Verify in more places that we are not about to create a buffer
with more than INT_MAX bytes, to avoid possible OOB access in the event
of bugs. Fixes bug 30041; bugfix on 0.2.0.16. Found and fixed by
Tobias Stoeckmann.
......@@ -3759,6 +3759,10 @@ connection_buf_read_from_socket(connection_t *conn, ssize_t *max_to_read,
if (conn->linked_conn) {
result = buf_move_to_buf(conn->inbuf, conn->linked_conn->outbuf,
&conn->linked_conn->outbuf_flushlen);
if (BUG(result<0)) {
log_warn(LD_BUG, "reading from linked connection buffer failed.");
return -1;
}
} else {
result = 0;
}
......
......@@ -283,7 +283,7 @@ buf_t *
buf_new_with_data(const char *cp, size_t sz)
{
/* Validate arguments */
if (!cp || sz <= 0) {
if (!cp || sz <= 0 || sz >= INT_MAX) {
return NULL;
}
......@@ -657,7 +657,7 @@ buf_move_to_buf(buf_t *buf_out, buf_t *buf_in, size_t *buf_flushlen)
char b[4096];
size_t cp, len;
if (BUG(buf_out->datalen >= INT_MAX))
if (BUG(buf_out->datalen >= INT_MAX || *buf_flushlen >= INT_MAX))
return -1;
if (BUG(buf_out->datalen >= INT_MAX - *buf_flushlen))
return -1;
......@@ -689,6 +689,10 @@ buf_move_all(buf_t *buf_out, buf_t *buf_in)
tor_assert(buf_out);
if (!buf_in)
return;
if (BUG(buf_out->datalen >= INT_MAX || buf_in->datalen >= INT_MAX))
return;
if (BUG(buf_out->datalen >= INT_MAX - buf_in->datalen))
return;
if (buf_out->head == NULL) {
buf_out->head = buf_in->head;
......@@ -756,6 +760,7 @@ buf_find_pos_of_char(char ch, buf_pos_t *out)
static inline int
buf_pos_inc(buf_pos_t *pos)
{
tor_assert(pos->pos < INT_MAX - 1);
++pos->pos;
if (pos->pos == (off_t)pos->chunk->datalen) {
if (!pos->chunk->next)
......@@ -836,6 +841,7 @@ buf_find_offset_of_char(buf_t *buf, char ch)
{
chunk_t *chunk;
off_t offset = 0;
tor_assert(buf->datalen < INT_MAX);
for (chunk = buf->head; chunk; chunk = chunk->next) {
char *cp = memchr(chunk->data, ch, chunk->datalen);
if (cp)
......@@ -905,6 +911,7 @@ buf_assert_ok(buf_t *buf)
for (ch = buf->head; ch; ch = ch->next) {
total += ch->datalen;
tor_assert(ch->datalen <= ch->memlen);
tor_assert(ch->datalen < INT_MAX);
tor_assert(ch->data >= &ch->mem[0]);
tor_assert(ch->data <= &ch->mem[0]+ch->memlen);
if (ch->data == &ch->mem[0]+ch->memlen) {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment