Loading changes/bug33131 0 → 100644 +3 −0 Original line number Diff line number Diff line o Minor bugfixes (mainloop): - Better guard against growing a buffer past its maximum 2GB in size. Fixes bug 33131; bugfix on 0.3.0.4-rc. src/core/mainloop/connection.c +6 −0 Original line number Diff line number Diff line Loading @@ -3814,6 +3814,12 @@ connection_buf_read_from_socket(connection_t *conn, ssize_t *max_to_read, at_most = connection_bucket_read_limit(conn, approx_time()); } /* Do not allow inbuf to grow past BUF_MAX_LEN. */ const ssize_t maximum = BUF_MAX_LEN - buf_datalen(conn->inbuf); if (at_most > maximum) { at_most = maximum; } slack_in_buf = buf_slack(conn->inbuf); again: if ((size_t)at_most > slack_in_buf && slack_in_buf >= 1024) { Loading src/lib/buf/buffers.c +15 −15 Original line number Diff line number Diff line Loading @@ -285,7 +285,7 @@ buf_t * buf_new_with_data(const char *cp, size_t sz) { /* Validate arguments */ if (!cp || sz <= 0 || sz >= INT_MAX) { if (!cp || sz <= 0 || sz > BUF_MAX_LEN) { return NULL; } Loading Loading @@ -530,9 +530,9 @@ buf_add(buf_t *buf, const char *string, size_t string_len) return (int)buf->datalen; check(); if (BUG(buf->datalen >= INT_MAX)) if (BUG(buf->datalen > BUF_MAX_LEN)) return -1; if (BUG(buf->datalen >= INT_MAX - string_len)) if (BUG(buf->datalen > BUF_MAX_LEN - string_len)) return -1; while (string_len) { Loading @@ -551,7 +551,7 @@ buf_add(buf_t *buf, const char *string, size_t string_len) } check(); tor_assert(buf->datalen < INT_MAX); tor_assert(buf->datalen <= BUF_MAX_LEN); return (int)buf->datalen; } Loading Loading @@ -645,7 +645,7 @@ buf_get_bytes(buf_t *buf, char *string, size_t string_len) buf_peek(buf, string, string_len); buf_drain(buf, string_len); check(); tor_assert(buf->datalen < INT_MAX); tor_assert(buf->datalen <= BUF_MAX_LEN); return (int)buf->datalen; } Loading @@ -660,9 +660,9 @@ buf_move_to_buf(buf_t *buf_out, buf_t *buf_in, size_t *buf_flushlen) char b[4096]; size_t cp, len; if (BUG(buf_out->datalen >= INT_MAX || *buf_flushlen >= INT_MAX)) if (BUG(buf_out->datalen > BUF_MAX_LEN || *buf_flushlen > BUF_MAX_LEN)) return -1; if (BUG(buf_out->datalen >= INT_MAX - *buf_flushlen)) if (BUG(buf_out->datalen > BUF_MAX_LEN - *buf_flushlen)) return -1; len = *buf_flushlen; Loading @@ -670,7 +670,7 @@ buf_move_to_buf(buf_t *buf_out, buf_t *buf_in, size_t *buf_flushlen) len = buf_in->datalen; cp = len; /* Remember the number of bytes we intend to copy. */ tor_assert(cp < INT_MAX); tor_assert(cp <= BUF_MAX_LEN); while (len) { /* This isn't the most efficient implementation one could imagine, since * it does two copies instead of 1, but I kinda doubt that this will be Loading @@ -692,9 +692,9 @@ buf_move_all(buf_t *buf_out, buf_t *buf_in) tor_assert(buf_out); if (!buf_in) return; if (BUG(buf_out->datalen >= INT_MAX || buf_in->datalen >= INT_MAX)) if (BUG(buf_out->datalen > BUF_MAX_LEN || buf_in->datalen > BUF_MAX_LEN)) return; if (BUG(buf_out->datalen >= INT_MAX - buf_in->datalen)) if (BUG(buf_out->datalen > BUF_MAX_LEN - buf_in->datalen)) return; if (buf_out->head == NULL) { Loading Loading @@ -748,7 +748,7 @@ buf_find_pos_of_char(char ch, buf_pos_t *out) char *cp = memchr(chunk->data+pos, ch, chunk->datalen - pos); if (cp) { out->chunk = chunk; tor_assert(cp - chunk->data < INT_MAX); tor_assert(cp - chunk->data <= BUF_MAX_LEN); out->pos = (int)(cp - chunk->data); return out->chunk_pos + out->pos; } else { Loading @@ -764,7 +764,7 @@ buf_find_pos_of_char(char ch, buf_pos_t *out) static inline int buf_pos_inc(buf_pos_t *pos) { tor_assert(pos->pos < INT_MAX - 1); tor_assert(pos->pos < BUF_MAX_LEN); ++pos->pos; if (pos->pos == (ptrdiff_t)pos->chunk->datalen) { if (!pos->chunk->next) Loading Loading @@ -811,7 +811,7 @@ buf_find_string_offset(const buf_t *buf, const char *s, size_t n) buf_pos_init(buf, &pos); while (buf_find_pos_of_char(*s, &pos) >= 0) { if (buf_matches_at_pos(&pos, s, n)) { tor_assert(pos.chunk_pos + pos.pos < INT_MAX); tor_assert(pos.chunk_pos + pos.pos <= BUF_MAX_LEN); return (int)(pos.chunk_pos + pos.pos); } else { if (buf_pos_inc(&pos)<0) Loading Loading @@ -845,7 +845,7 @@ buf_find_offset_of_char(buf_t *buf, char ch) { chunk_t *chunk; ptrdiff_t offset = 0; tor_assert(buf->datalen < INT_MAX); tor_assert(buf->datalen <= BUF_MAX_LEN); for (chunk = buf->head; chunk; chunk = chunk->next) { char *cp = memchr(chunk->data, ch, chunk->datalen); if (cp) Loading Loading @@ -915,7 +915,7 @@ buf_assert_ok(buf_t *buf) for (ch = buf->head; ch; ch = ch->next) { total += ch->datalen; tor_assert(ch->datalen <= ch->memlen); tor_assert(ch->datalen < INT_MAX); tor_assert(ch->datalen <= BUF_MAX_LEN); tor_assert(ch->data >= &ch->mem[0]); tor_assert(ch->data <= &ch->mem[0]+ch->memlen); if (ch->data == &ch->mem[0]+ch->memlen) { Loading src/lib/buf/buffers.h +3 −0 Original line number Diff line number Diff line Loading @@ -29,6 +29,9 @@ void buf_free_(buf_t *buf); void buf_clear(buf_t *buf); buf_t *buf_copy(const buf_t *buf); /** Maximum bytes in a buffer, inclusive. */ #define BUF_MAX_LEN (INT_MAX - 1) MOCK_DECL(size_t, buf_datalen, (const buf_t *buf)); size_t buf_allocation(const buf_t *buf); size_t buf_slack(const buf_t *buf); Loading src/lib/net/buffers_net.c +6 −6 Original line number Diff line number Diff line Loading @@ -76,7 +76,7 @@ read_to_chunk(buf_t *buf, chunk_t *chunk, tor_socket_t fd, size_t at_most, chunk->datalen += read_result; log_debug(LD_NET,"Read %ld bytes. %d on inbuf.", (long)read_result, (int)buf->datalen); tor_assert(read_result < INT_MAX); tor_assert(read_result <= BUF_MAX_LEN); return (int)read_result; } } Loading @@ -103,9 +103,9 @@ buf_read_from_fd(buf_t *buf, int fd, size_t at_most, tor_assert(reached_eof); tor_assert(SOCKET_OK(fd)); if (BUG(buf->datalen >= INT_MAX)) if (BUG(buf->datalen > BUF_MAX_LEN)) return -1; if (BUG(buf->datalen >= INT_MAX - at_most)) if (BUG(buf->datalen > BUF_MAX_LEN - at_most)) return -1; while (at_most > total_read) { Loading @@ -127,7 +127,7 @@ buf_read_from_fd(buf_t *buf, int fd, size_t at_most, check(); if (r < 0) return r; /* Error */ tor_assert(total_read+r < INT_MAX); tor_assert(total_read+r <= BUF_MAX_LEN); total_read += r; if ((size_t)r < readlen) { /* eof, block, or no more to read. */ break; Loading Loading @@ -170,7 +170,7 @@ flush_chunk(tor_socket_t fd, buf_t *buf, chunk_t *chunk, size_t sz, } else { *buf_flushlen -= write_result; buf_drain(buf, write_result); tor_assert(write_result < INT_MAX); tor_assert(write_result <= BUF_MAX_LEN); return (int)write_result; } } Loading Loading @@ -217,7 +217,7 @@ buf_flush_to_fd(buf_t *buf, int fd, size_t sz, if (r == 0 || (size_t)r < flushlen0) /* can't flush any more now. */ break; } tor_assert(flushed < INT_MAX); tor_assert(flushed <= BUF_MAX_LEN); return (int)flushed; } Loading Loading
changes/bug33131 0 → 100644 +3 −0 Original line number Diff line number Diff line o Minor bugfixes (mainloop): - Better guard against growing a buffer past its maximum 2GB in size. Fixes bug 33131; bugfix on 0.3.0.4-rc.
src/core/mainloop/connection.c +6 −0 Original line number Diff line number Diff line Loading @@ -3814,6 +3814,12 @@ connection_buf_read_from_socket(connection_t *conn, ssize_t *max_to_read, at_most = connection_bucket_read_limit(conn, approx_time()); } /* Do not allow inbuf to grow past BUF_MAX_LEN. */ const ssize_t maximum = BUF_MAX_LEN - buf_datalen(conn->inbuf); if (at_most > maximum) { at_most = maximum; } slack_in_buf = buf_slack(conn->inbuf); again: if ((size_t)at_most > slack_in_buf && slack_in_buf >= 1024) { Loading
src/lib/buf/buffers.c +15 −15 Original line number Diff line number Diff line Loading @@ -285,7 +285,7 @@ buf_t * buf_new_with_data(const char *cp, size_t sz) { /* Validate arguments */ if (!cp || sz <= 0 || sz >= INT_MAX) { if (!cp || sz <= 0 || sz > BUF_MAX_LEN) { return NULL; } Loading Loading @@ -530,9 +530,9 @@ buf_add(buf_t *buf, const char *string, size_t string_len) return (int)buf->datalen; check(); if (BUG(buf->datalen >= INT_MAX)) if (BUG(buf->datalen > BUF_MAX_LEN)) return -1; if (BUG(buf->datalen >= INT_MAX - string_len)) if (BUG(buf->datalen > BUF_MAX_LEN - string_len)) return -1; while (string_len) { Loading @@ -551,7 +551,7 @@ buf_add(buf_t *buf, const char *string, size_t string_len) } check(); tor_assert(buf->datalen < INT_MAX); tor_assert(buf->datalen <= BUF_MAX_LEN); return (int)buf->datalen; } Loading Loading @@ -645,7 +645,7 @@ buf_get_bytes(buf_t *buf, char *string, size_t string_len) buf_peek(buf, string, string_len); buf_drain(buf, string_len); check(); tor_assert(buf->datalen < INT_MAX); tor_assert(buf->datalen <= BUF_MAX_LEN); return (int)buf->datalen; } Loading @@ -660,9 +660,9 @@ buf_move_to_buf(buf_t *buf_out, buf_t *buf_in, size_t *buf_flushlen) char b[4096]; size_t cp, len; if (BUG(buf_out->datalen >= INT_MAX || *buf_flushlen >= INT_MAX)) if (BUG(buf_out->datalen > BUF_MAX_LEN || *buf_flushlen > BUF_MAX_LEN)) return -1; if (BUG(buf_out->datalen >= INT_MAX - *buf_flushlen)) if (BUG(buf_out->datalen > BUF_MAX_LEN - *buf_flushlen)) return -1; len = *buf_flushlen; Loading @@ -670,7 +670,7 @@ buf_move_to_buf(buf_t *buf_out, buf_t *buf_in, size_t *buf_flushlen) len = buf_in->datalen; cp = len; /* Remember the number of bytes we intend to copy. */ tor_assert(cp < INT_MAX); tor_assert(cp <= BUF_MAX_LEN); while (len) { /* This isn't the most efficient implementation one could imagine, since * it does two copies instead of 1, but I kinda doubt that this will be Loading @@ -692,9 +692,9 @@ buf_move_all(buf_t *buf_out, buf_t *buf_in) tor_assert(buf_out); if (!buf_in) return; if (BUG(buf_out->datalen >= INT_MAX || buf_in->datalen >= INT_MAX)) if (BUG(buf_out->datalen > BUF_MAX_LEN || buf_in->datalen > BUF_MAX_LEN)) return; if (BUG(buf_out->datalen >= INT_MAX - buf_in->datalen)) if (BUG(buf_out->datalen > BUF_MAX_LEN - buf_in->datalen)) return; if (buf_out->head == NULL) { Loading Loading @@ -748,7 +748,7 @@ buf_find_pos_of_char(char ch, buf_pos_t *out) char *cp = memchr(chunk->data+pos, ch, chunk->datalen - pos); if (cp) { out->chunk = chunk; tor_assert(cp - chunk->data < INT_MAX); tor_assert(cp - chunk->data <= BUF_MAX_LEN); out->pos = (int)(cp - chunk->data); return out->chunk_pos + out->pos; } else { Loading @@ -764,7 +764,7 @@ buf_find_pos_of_char(char ch, buf_pos_t *out) static inline int buf_pos_inc(buf_pos_t *pos) { tor_assert(pos->pos < INT_MAX - 1); tor_assert(pos->pos < BUF_MAX_LEN); ++pos->pos; if (pos->pos == (ptrdiff_t)pos->chunk->datalen) { if (!pos->chunk->next) Loading Loading @@ -811,7 +811,7 @@ buf_find_string_offset(const buf_t *buf, const char *s, size_t n) buf_pos_init(buf, &pos); while (buf_find_pos_of_char(*s, &pos) >= 0) { if (buf_matches_at_pos(&pos, s, n)) { tor_assert(pos.chunk_pos + pos.pos < INT_MAX); tor_assert(pos.chunk_pos + pos.pos <= BUF_MAX_LEN); return (int)(pos.chunk_pos + pos.pos); } else { if (buf_pos_inc(&pos)<0) Loading Loading @@ -845,7 +845,7 @@ buf_find_offset_of_char(buf_t *buf, char ch) { chunk_t *chunk; ptrdiff_t offset = 0; tor_assert(buf->datalen < INT_MAX); tor_assert(buf->datalen <= BUF_MAX_LEN); for (chunk = buf->head; chunk; chunk = chunk->next) { char *cp = memchr(chunk->data, ch, chunk->datalen); if (cp) Loading Loading @@ -915,7 +915,7 @@ buf_assert_ok(buf_t *buf) for (ch = buf->head; ch; ch = ch->next) { total += ch->datalen; tor_assert(ch->datalen <= ch->memlen); tor_assert(ch->datalen < INT_MAX); tor_assert(ch->datalen <= BUF_MAX_LEN); tor_assert(ch->data >= &ch->mem[0]); tor_assert(ch->data <= &ch->mem[0]+ch->memlen); if (ch->data == &ch->mem[0]+ch->memlen) { Loading
src/lib/buf/buffers.h +3 −0 Original line number Diff line number Diff line Loading @@ -29,6 +29,9 @@ void buf_free_(buf_t *buf); void buf_clear(buf_t *buf); buf_t *buf_copy(const buf_t *buf); /** Maximum bytes in a buffer, inclusive. */ #define BUF_MAX_LEN (INT_MAX - 1) MOCK_DECL(size_t, buf_datalen, (const buf_t *buf)); size_t buf_allocation(const buf_t *buf); size_t buf_slack(const buf_t *buf); Loading
src/lib/net/buffers_net.c +6 −6 Original line number Diff line number Diff line Loading @@ -76,7 +76,7 @@ read_to_chunk(buf_t *buf, chunk_t *chunk, tor_socket_t fd, size_t at_most, chunk->datalen += read_result; log_debug(LD_NET,"Read %ld bytes. %d on inbuf.", (long)read_result, (int)buf->datalen); tor_assert(read_result < INT_MAX); tor_assert(read_result <= BUF_MAX_LEN); return (int)read_result; } } Loading @@ -103,9 +103,9 @@ buf_read_from_fd(buf_t *buf, int fd, size_t at_most, tor_assert(reached_eof); tor_assert(SOCKET_OK(fd)); if (BUG(buf->datalen >= INT_MAX)) if (BUG(buf->datalen > BUF_MAX_LEN)) return -1; if (BUG(buf->datalen >= INT_MAX - at_most)) if (BUG(buf->datalen > BUF_MAX_LEN - at_most)) return -1; while (at_most > total_read) { Loading @@ -127,7 +127,7 @@ buf_read_from_fd(buf_t *buf, int fd, size_t at_most, check(); if (r < 0) return r; /* Error */ tor_assert(total_read+r < INT_MAX); tor_assert(total_read+r <= BUF_MAX_LEN); total_read += r; if ((size_t)r < readlen) { /* eof, block, or no more to read. */ break; Loading Loading @@ -170,7 +170,7 @@ flush_chunk(tor_socket_t fd, buf_t *buf, chunk_t *chunk, size_t sz, } else { *buf_flushlen -= write_result; buf_drain(buf, write_result); tor_assert(write_result < INT_MAX); tor_assert(write_result <= BUF_MAX_LEN); return (int)write_result; } } Loading Loading @@ -217,7 +217,7 @@ buf_flush_to_fd(buf_t *buf, int fd, size_t sz, if (r == 0 || (size_t)r < flushlen0) /* can't flush any more now. */ break; } tor_assert(flushed < INT_MAX); tor_assert(flushed <= BUF_MAX_LEN); return (int)flushed; } Loading
