Merge remote-tracking branch 'tor-github/pr/920' into maint-0.4.0

This commit is contained in:
teor 2019-04-10 18:26:49 +10:00
commit 454bdb22ee
No known key found for this signature in database
GPG Key ID: 10FEAA0E7075672A
3 changed files with 18 additions and 2 deletions

5
changes/bug30041 Normal file
View File

@ -0,0 +1,5 @@
o Minor bugfixes (hardening):
- Verify in more places that we are not about to create a buffer
with more than INT_MAX bytes, to avoid possible OOB access in the event
of bugs. Fixes bug 30041; bugfix on 0.2.0.16. Found and fixed by
Tobias Stoeckmann.

View File

@ -3788,6 +3788,10 @@ connection_buf_read_from_socket(connection_t *conn, ssize_t *max_to_read,
if (conn->linked_conn) { if (conn->linked_conn) {
result = buf_move_to_buf(conn->inbuf, conn->linked_conn->outbuf, result = buf_move_to_buf(conn->inbuf, conn->linked_conn->outbuf,
&conn->linked_conn->outbuf_flushlen); &conn->linked_conn->outbuf_flushlen);
if (BUG(result<0)) {
log_warn(LD_BUG, "reading from linked connection buffer failed.");
return -1;
}
} else { } else {
result = 0; result = 0;
} }

View File

@ -283,7 +283,7 @@ buf_t *
buf_new_with_data(const char *cp, size_t sz) buf_new_with_data(const char *cp, size_t sz)
{ {
/* Validate arguments */ /* Validate arguments */
if (!cp || sz <= 0) { if (!cp || sz <= 0 || sz >= INT_MAX) {
return NULL; return NULL;
} }
@ -657,7 +657,7 @@ buf_move_to_buf(buf_t *buf_out, buf_t *buf_in, size_t *buf_flushlen)
char b[4096]; char b[4096];
size_t cp, len; size_t cp, len;
if (BUG(buf_out->datalen >= INT_MAX)) if (BUG(buf_out->datalen >= INT_MAX || *buf_flushlen >= INT_MAX))
return -1; return -1;
if (BUG(buf_out->datalen >= INT_MAX - *buf_flushlen)) if (BUG(buf_out->datalen >= INT_MAX - *buf_flushlen))
return -1; return -1;
@ -689,6 +689,10 @@ buf_move_all(buf_t *buf_out, buf_t *buf_in)
tor_assert(buf_out); tor_assert(buf_out);
if (!buf_in) if (!buf_in)
return; return;
if (BUG(buf_out->datalen >= INT_MAX || buf_in->datalen >= INT_MAX))
return;
if (BUG(buf_out->datalen >= INT_MAX - buf_in->datalen))
return;
if (buf_out->head == NULL) { if (buf_out->head == NULL) {
buf_out->head = buf_in->head; buf_out->head = buf_in->head;
@ -756,6 +760,7 @@ buf_find_pos_of_char(char ch, buf_pos_t *out)
static inline int static inline int
buf_pos_inc(buf_pos_t *pos) buf_pos_inc(buf_pos_t *pos)
{ {
tor_assert(pos->pos < INT_MAX - 1);
++pos->pos; ++pos->pos;
if (pos->pos == (off_t)pos->chunk->datalen) { if (pos->pos == (off_t)pos->chunk->datalen) {
if (!pos->chunk->next) if (!pos->chunk->next)
@ -836,6 +841,7 @@ buf_find_offset_of_char(buf_t *buf, char ch)
{ {
chunk_t *chunk; chunk_t *chunk;
off_t offset = 0; off_t offset = 0;
tor_assert(buf->datalen < INT_MAX);
for (chunk = buf->head; chunk; chunk = chunk->next) { for (chunk = buf->head; chunk; chunk = chunk->next) {
char *cp = memchr(chunk->data, ch, chunk->datalen); char *cp = memchr(chunk->data, ch, chunk->datalen);
if (cp) if (cp)
@ -905,6 +911,7 @@ buf_assert_ok(buf_t *buf)
for (ch = buf->head; ch; ch = ch->next) { for (ch = buf->head; ch; ch = ch->next) {
total += ch->datalen; total += ch->datalen;
tor_assert(ch->datalen <= ch->memlen); tor_assert(ch->datalen <= ch->memlen);
tor_assert(ch->datalen < INT_MAX);
tor_assert(ch->data >= &ch->mem[0]); tor_assert(ch->data >= &ch->mem[0]);
tor_assert(ch->data <= &ch->mem[0]+ch->memlen); tor_assert(ch->data <= &ch->mem[0]+ch->memlen);
if (ch->data == &ch->mem[0]+ch->memlen) { if (ch->data == &ch->mem[0]+ch->memlen) {