Merge branch 'maint-0.2.8'

This commit is contained in:
Nick Mathewson 2016-10-17 14:51:45 -04:00
commit 1a74881063
2 changed files with 43 additions and 8 deletions

11
changes/buf-sentinel Normal file
View File

@ -0,0 +1,11 @@
o Major features (security fixes):
- Prevent a class of security bugs caused by treating the contents
of a buffer chunk as if they were a NUL-terminated string. At
least one such bug seems to be present in all currently used
versions of Tor, and would allow an attacker to remotely crash
most Tor instances, especially those compiled with extra compiler
hardening. With this defense in place, such bugs can't crash Tor,
though we should still fix them as they occur. Closes ticket 20384
(TROVE-2016-10-001).

View File

@ -82,12 +82,33 @@ static int parse_socks_client(const uint8_t *data, size_t datalen,
#define CHUNK_HEADER_LEN STRUCT_OFFSET(chunk_t, mem[0]) #define CHUNK_HEADER_LEN STRUCT_OFFSET(chunk_t, mem[0])
/* We leave this many NUL bytes at the end of the buffer. */
#define SENTINEL_LEN 4
/* Header size plus NUL bytes at the end */
#define CHUNK_OVERHEAD (CHUNK_HEADER_LEN + SENTINEL_LEN)
/** Return the number of bytes needed to allocate a chunk to hold /** Return the number of bytes needed to allocate a chunk to hold
* <b>memlen</b> bytes. */ * <b>memlen</b> bytes. */
#define CHUNK_ALLOC_SIZE(memlen) (CHUNK_HEADER_LEN + (memlen)) #define CHUNK_ALLOC_SIZE(memlen) (CHUNK_OVERHEAD + (memlen))
/** Return the number of usable bytes in a chunk allocated with /** Return the number of usable bytes in a chunk allocated with
* malloc(<b>memlen</b>). */ * malloc(<b>memlen</b>). */
#define CHUNK_SIZE_WITH_ALLOC(memlen) ((memlen) - CHUNK_HEADER_LEN) #define CHUNK_SIZE_WITH_ALLOC(memlen) ((memlen) - CHUNK_OVERHEAD)
#define DEBUG_SENTINEL
#ifdef DEBUG_SENTINEL
#define DBG_S(s) s
#else
#define DBG_S(s) (void)0
#endif
#define CHUNK_SET_SENTINEL(chunk, alloclen) do { \
uint8_t *a = (uint8_t*) &(chunk)->mem[(chunk)->memlen]; \
DBG_S(uint8_t *b = &((uint8_t*)(chunk))[(alloclen)-SENTINEL_LEN]); \
DBG_S(tor_assert(a == b)); \
memset(a,0,SENTINEL_LEN); \
} while (0)
/** Return the next character in <b>chunk</b> onto which data can be appended. /** Return the next character in <b>chunk</b> onto which data can be appended.
* If the chunk is full, this might be off the end of chunk->mem. */ * If the chunk is full, this might be off the end of chunk->mem. */
@ -144,6 +165,7 @@ chunk_new_with_alloc_size(size_t alloc)
ch->memlen = CHUNK_SIZE_WITH_ALLOC(alloc); ch->memlen = CHUNK_SIZE_WITH_ALLOC(alloc);
total_bytes_allocated_in_chunks += alloc; total_bytes_allocated_in_chunks += alloc;
ch->data = &ch->mem[0]; ch->data = &ch->mem[0];
CHUNK_SET_SENTINEL(ch, alloc);
return ch; return ch;
} }
@ -153,18 +175,20 @@ static inline chunk_t *
chunk_grow(chunk_t *chunk, size_t sz) chunk_grow(chunk_t *chunk, size_t sz)
{ {
off_t offset; off_t offset;
size_t memlen_orig = chunk->memlen; const size_t memlen_orig = chunk->memlen;
const size_t orig_alloc = CHUNK_ALLOC_SIZE(memlen_orig);
const size_t new_alloc = CHUNK_ALLOC_SIZE(sz);
tor_assert(sz > chunk->memlen); tor_assert(sz > chunk->memlen);
offset = chunk->data - chunk->mem; offset = chunk->data - chunk->mem;
chunk = tor_realloc(chunk, CHUNK_ALLOC_SIZE(sz)); chunk = tor_realloc(chunk, new_alloc);
chunk->memlen = sz; chunk->memlen = sz;
chunk->data = chunk->mem + offset; chunk->data = chunk->mem + offset;
#ifdef DEBUG_CHUNK_ALLOC #ifdef DEBUG_CHUNK_ALLOC
tor_assert(chunk->DBG_alloc == CHUNK_ALLOC_SIZE(memlen_orig)); tor_assert(chunk->DBG_alloc == orig_alloc);
chunk->DBG_alloc = CHUNK_ALLOC_SIZE(sz); chunk->DBG_alloc = new_alloc;
#endif #endif
total_bytes_allocated_in_chunks += total_bytes_allocated_in_chunks += new_alloc - orig_alloc;
CHUNK_ALLOC_SIZE(sz) - CHUNK_ALLOC_SIZE(memlen_orig); CHUNK_SET_SENTINEL(chunk, new_alloc);
return chunk; return chunk;
} }