Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
Nick Mathewson
Tor
Commits
e3ba9b7a
Unverified
Commit
e3ba9b7a
authored
Aug 09, 2019
by
teor
Browse files
Merge remote-tracking branch 'tor-github/pr/920' into maint-0.3.5
parents
519556ef
c24928dd
Changes
3
Hide whitespace changes
Inline
Side-by-side
changes/bug30041
0 → 100644
View file @
e3ba9b7a
o Minor bugfixes (hardening):
- Verify in more places that we are not about to create a buffer
with more than INT_MAX bytes, to avoid possible OOB access in the event
of bugs. Fixes bug 30041; bugfix on 0.2.0.16. Found and fixed by
Tobias Stoeckmann.
src/core/mainloop/connection.c
View file @
e3ba9b7a
...
...
@@ -3759,6 +3759,10 @@ connection_buf_read_from_socket(connection_t *conn, ssize_t *max_to_read,
if
(
conn
->
linked_conn
)
{
result
=
buf_move_to_buf
(
conn
->
inbuf
,
conn
->
linked_conn
->
outbuf
,
&
conn
->
linked_conn
->
outbuf_flushlen
);
if
(
BUG
(
result
<
0
))
{
log_warn
(
LD_BUG
,
"reading from linked connection buffer failed."
);
return
-
1
;
}
}
else
{
result
=
0
;
}
...
...
src/lib/container/buffers.c
View file @
e3ba9b7a
...
...
@@ -283,7 +283,7 @@ buf_t *
buf_new_with_data
(
const
char
*
cp
,
size_t
sz
)
{
/* Validate arguments */
if
(
!
cp
||
sz
<=
0
)
{
if
(
!
cp
||
sz
<=
0
||
sz
>=
INT_MAX
)
{
return
NULL
;
}
...
...
@@ -657,7 +657,7 @@ buf_move_to_buf(buf_t *buf_out, buf_t *buf_in, size_t *buf_flushlen)
char
b
[
4096
];
size_t
cp
,
len
;
if
(
BUG
(
buf_out
->
datalen
>=
INT_MAX
))
if
(
BUG
(
buf_out
->
datalen
>=
INT_MAX
||
*
buf_flushlen
>=
INT_MAX
))
return
-
1
;
if
(
BUG
(
buf_out
->
datalen
>=
INT_MAX
-
*
buf_flushlen
))
return
-
1
;
...
...
@@ -689,6 +689,10 @@ buf_move_all(buf_t *buf_out, buf_t *buf_in)
tor_assert
(
buf_out
);
if
(
!
buf_in
)
return
;
if
(
BUG
(
buf_out
->
datalen
>=
INT_MAX
||
buf_in
->
datalen
>=
INT_MAX
))
return
;
if
(
BUG
(
buf_out
->
datalen
>=
INT_MAX
-
buf_in
->
datalen
))
return
;
if
(
buf_out
->
head
==
NULL
)
{
buf_out
->
head
=
buf_in
->
head
;
...
...
@@ -756,6 +760,7 @@ buf_find_pos_of_char(char ch, buf_pos_t *out)
static
inline
int
buf_pos_inc
(
buf_pos_t
*
pos
)
{
tor_assert
(
pos
->
pos
<
INT_MAX
-
1
);
++
pos
->
pos
;
if
(
pos
->
pos
==
(
off_t
)
pos
->
chunk
->
datalen
)
{
if
(
!
pos
->
chunk
->
next
)
...
...
@@ -836,6 +841,7 @@ buf_find_offset_of_char(buf_t *buf, char ch)
{
chunk_t
*
chunk
;
off_t
offset
=
0
;
tor_assert
(
buf
->
datalen
<
INT_MAX
);
for
(
chunk
=
buf
->
head
;
chunk
;
chunk
=
chunk
->
next
)
{
char
*
cp
=
memchr
(
chunk
->
data
,
ch
,
chunk
->
datalen
);
if
(
cp
)
...
...
@@ -905,6 +911,7 @@ buf_assert_ok(buf_t *buf)
for
(
ch
=
buf
->
head
;
ch
;
ch
=
ch
->
next
)
{
total
+=
ch
->
datalen
;
tor_assert
(
ch
->
datalen
<=
ch
->
memlen
);
tor_assert
(
ch
->
datalen
<
INT_MAX
);
tor_assert
(
ch
->
data
>=
&
ch
->
mem
[
0
]);
tor_assert
(
ch
->
data
<=
&
ch
->
mem
[
0
]
+
ch
->
memlen
);
if
(
ch
->
data
==
&
ch
->
mem
[
0
]
+
ch
->
memlen
)
{
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment