Merge remote-tracking branch 'public/bug13104_025'

changes/bug13104

@@ -0,0 +1,4 @@
+  o Minor bugfixes:
+    - Fix several instances of possible integer overflow/underflow/NaN.
+      Fixes bug 13104; bugfix on 0.2.3.1-alpha and later. Patches from
+      "teor".

src/common/util.c

@@ -2837,10 +2837,14 @@ scan_unsigned(const char **bufp, unsigned long *out, int width, int base)
   while (**bufp && (hex?TOR_ISXDIGIT(**bufp):TOR_ISDIGIT(**bufp))
          && scanned_so_far < width) {
     int digit = hex?hex_decode_digit(*(*bufp)++):digit_to_num(*(*bufp)++);
-    unsigned long new_result = result * base + digit;
-    if (new_result < result)
-      return -1; /* over/underflow. */
-    result = new_result;
+    // Check for overflow beforehand, without actually causing any overflow
+    // This preserves functionality on compilers that don't wrap overflow
+    // (i.e. that trap or optimise away overflow)
+    // result * base + digit > ULONG_MAX
+    // result * base > ULONG_MAX - digit
+    if (result > (ULONG_MAX - digit)/base)
+      return -1; /* Processing this digit would overflow */
+    result = result * base + digit;
     ++scanned_so_far;
   }
 
@@ -2875,10 +2879,17 @@ scan_signed(const char **bufp, long *out, int width)
   if (scan_unsigned(bufp, &result, width, 10) < 0)
     return -1;
 
-  if (neg) {
+  if (neg && result > 0) {
     if (result > ((unsigned long)LONG_MAX) + 1)
       return -1; /* Underflow */
-    *out = -(long)result;
+    // Avoid overflow on the cast to signed long when result is LONG_MIN
+    // by subtracting 1 from the unsigned long positive value,
+    // then, after it has been cast to signed and negated,
+    // subtracting the original 1 (the double-subtraction is intentional).
+    // Otherwise, the cast to signed could cause a temporary long
+    // to equal LONG_MAX + 1, which is undefined.
+    // We avoid underflow on the subtraction by treating -0 as positive.
+    *out = (-(long)(result - 1)) - 1;
   } else {
     if (result > LONG_MAX)
       return -1; /* Overflow */
@@ -3577,7 +3588,13 @@ format_helper_exit_status(unsigned char child_state, int saved_errno,
 
   /* Convert errno to be unsigned for hex conversion */
   if (saved_errno < 0) {
-    unsigned_errno = (unsigned int) -saved_errno;
+    // Avoid overflow on the cast to unsigned int when result is INT_MIN
+    // by adding 1 to the signed int negative value,
+    // then, after it has been negated and cast to unsigned,
+    // adding the original 1 back (the double-addition is intentional).
+    // Otherwise, the cast to signed could cause a temporary int
+    // to equal INT_MAX + 1, which is undefined.
+    unsigned_errno = ((unsigned int) -(saved_errno + 1)) + 1;
   } else {
     unsigned_errno = (unsigned int) saved_errno;
   }

src/or/routerlist.c

@@ -1804,7 +1804,7 @@ scale_array_elements_to_u64(u64_dbl_t *entries, int n_entries,
                             uint64_t *total_out)
 {
   double total = 0.0;
-  double scale_factor;
+  double scale_factor = 0.0;
   int i;
   /* big, but far away from overflowing an int64_t */
 #define SCALE_TO_U64_MAX ((int64_t) (INT64_MAX / 4))
@@ -1812,7 +1812,8 @@ scale_array_elements_to_u64(u64_dbl_t *entries, int n_entries,
   for (i = 0; i < n_entries; ++i)
     total += entries[i].dbl;
 
-  scale_factor = SCALE_TO_U64_MAX / total;
+  if (total > 0.0)
+    scale_factor = SCALE_TO_U64_MAX / total;
 
   for (i = 0; i < n_entries; ++i)
     entries[i].u64 = tor_llround(entries[i].dbl * scale_factor);

src/test/test_dir.c

@@ -1733,10 +1733,37 @@ test_dir_scale_bw(void *testdata)
   tt_assert(total <= (U64_LITERAL(1)<<62));
 
   for (i=0; i<8; ++i) {
+    /* vals[2].u64 is the scaled value of 1.0 */
     double ratio = ((double)vals[i].u64) / vals[2].u64;
     tt_double_op(fabs(ratio - v[i]), <, .00001);
   }
 
+  /* test handling of no entries */
+  total = 1;
+  scale_array_elements_to_u64(vals, 0, &total);
+  tt_assert(total == 0);
+
+  /* make sure we don't read the array when we have no entries
+   * may require compiler flags to catch NULL dereferences */
+  total = 1;
+  scale_array_elements_to_u64(NULL, 0, &total);
+  tt_assert(total == 0);
+
+  scale_array_elements_to_u64(NULL, 0, NULL);
+
+  /* test handling of zero totals */
+  total = 1;
+  vals[0].dbl = 0.0;
+  scale_array_elements_to_u64(vals, 1, &total);
+  tt_assert(total == 0);
+  tt_assert(vals[0].u64 == 0);
+
+  vals[0].dbl = 0.0;
+  vals[1].dbl = 0.0;
+  scale_array_elements_to_u64(vals, 2, NULL);
+  tt_assert(vals[0].u64 == 0);
+  tt_assert(vals[1].u64 == 0);
+
  done:
   ;
 }

src/test/test_util.c

@@ -1688,6 +1688,7 @@ static void
 test_util_sscanf(void)
 {
   unsigned u1, u2, u3;
+  unsigned long ulng;
   char s1[20], s2[10], s3[10], ch;
   int r;
   long lng1,lng2;
@@ -1729,11 +1730,6 @@ test_util_sscanf(void)
   test_eq(0, tor_sscanf("", "%u", &u1)); /* absent number */
   test_eq(0, tor_sscanf("A", "%u", &u1)); /* bogus number */
   test_eq(0, tor_sscanf("-1", "%u", &u1)); /* negative number */
-  test_eq(1, tor_sscanf("4294967295", "%u", &u1)); /* UINT32_MAX should work */
-  test_eq(4294967295u, u1);
-  test_eq(0, tor_sscanf("4294967296", "%u", &u1)); /* But not at 32 bits */
-  test_eq(1, tor_sscanf("4294967296", "%9u", &u1)); /* but parsing only 9... */
-  test_eq(429496729u, u1);
 
   /* Numbers with size (eg. %2u) */
   test_eq(0, tor_sscanf("-1", "%2u", &u1));
@@ -1828,46 +1824,191 @@ test_util_sscanf(void)
   test_eq(int2, -1);
 
 #if SIZEOF_INT == 4
+  /* %u */
+  /* UINT32_MAX should work */
+  test_eq(1, tor_sscanf("4294967295", "%u", &u1));
+  test_eq(4294967295U, u1);
+
+  /* But UINT32_MAX + 1 shouldn't work */
+  test_eq(0, tor_sscanf("4294967296", "%u", &u1));
+  /* but parsing only 9... */
+  test_eq(1, tor_sscanf("4294967296", "%9u", &u1));
+  test_eq(429496729U, u1);
+
+  /* %x */
+  /* UINT32_MAX should work */
+  test_eq(1, tor_sscanf("FFFFFFFF", "%x", &u1));
+  test_eq(0xFFFFFFFF, u1);
+
+  /* But UINT32_MAX + 1 shouldn't work */
+  test_eq(0, tor_sscanf("100000000", "%x", &u1));
+
+  /* %d */
+  /* INT32_MIN and INT32_MAX should work */
   r = tor_sscanf("-2147483648. 2147483647.", "%d. %d.", &int1, &int2);
   test_eq(r,2);
-  test_eq(int1, -2147483647-1);
+  test_eq(int1, -2147483647 - 1);
   test_eq(int2, 2147483647);
 
-  r = tor_sscanf("-2147483679.", "%d.", &int1);
+  /* But INT32_MIN - 1 and INT32_MAX + 1 shouldn't work */
+  r = tor_sscanf("-2147483649.", "%d.", &int1);
   test_eq(r,0);
 
-  r = tor_sscanf("2147483678.", "%d.", &int1);
+  r = tor_sscanf("2147483648.", "%d.", &int1);
+  test_eq(r,0);
+
+  /* and the first failure stops further processing */
+  r = tor_sscanf("-2147483648. 2147483648.",
+                 "%d. %d.", &int1, &int2);
+  test_eq(r,1);
+
+  r = tor_sscanf("-2147483649. 2147483647.",
+                 "%d. %d.", &int1, &int2);
+  test_eq(r,0);
+
+  r = tor_sscanf("2147483648. -2147483649.",
+                 "%d. %d.", &int1, &int2);
   test_eq(r,0);
 #elif SIZEOF_INT == 8
+  /* %u */
+  /* UINT64_MAX should work */
+  test_eq(1, tor_sscanf("18446744073709551615", "%u", &u1));
+  test_eq(18446744073709551615U, u1);
+
+  /* But UINT64_MAX + 1 shouldn't work */
+  test_eq(0, tor_sscanf("18446744073709551616", "%u", &u1));
+  /* but parsing only 19... */
+  test_eq(1, tor_sscanf("18446744073709551616", "%19u", &u1));
+  test_eq(1844674407370955161U, u1);
+
+  /* %x */
+  /* UINT64_MAX should work */
+  test_eq(1, tor_sscanf("FFFFFFFFFFFFFFFF", "%x", &u1));
+  test_eq(0xFFFFFFFFFFFFFFFF, u1);
+
+  /* But UINT64_MAX + 1 shouldn't work */
+  test_eq(0, tor_sscanf("10000000000000000", "%x", &u1));
+
+  /* %d */
+  /* INT64_MIN and INT64_MAX should work */
   r = tor_sscanf("-9223372036854775808. 9223372036854775807.",
                  "%d. %d.", &int1, &int2);
   test_eq(r,2);
-  test_eq(int1, -9223372036854775807-1);
+  test_eq(int1, -9223372036854775807 - 1);
   test_eq(int2, 9223372036854775807);
 
+  /* But INT64_MIN - 1 and INT64_MAX + 1 shouldn't work */
   r = tor_sscanf("-9223372036854775809.", "%d.", &int1);
   test_eq(r,0);
 
   r = tor_sscanf("9223372036854775808.", "%d.", &int1);
   test_eq(r,0);
+
+  /* and the first failure stops further processing */
+  r = tor_sscanf("-9223372036854775808. 9223372036854775808.",
+                 "%d. %d.", &int1, &int2);
+  test_eq(r,1);
+
+  r = tor_sscanf("-9223372036854775809. 9223372036854775807.",
+                 "%d. %d.", &int1, &int2);
+  test_eq(r,0);
+
+  r = tor_sscanf("9223372036854775808. -9223372036854775809.",
+                 "%d. %d.", &int1, &int2);
+  test_eq(r,0);
 #endif
 
 #if SIZEOF_LONG == 4
+  /* %lu */
+  /* UINT32_MAX should work */
+  test_eq(1, tor_sscanf("4294967295", "%lu", &ulng));
+  test_eq(4294967295UL, ulng);
+
+  /* But UINT32_MAX + 1 shouldn't work */
+  test_eq(0, tor_sscanf("4294967296", "%lu", &ulng));
+  /* but parsing only 9... */
+  test_eq(1, tor_sscanf("4294967296", "%9lu", &ulng));
+  test_eq(429496729UL, ulng);
+
+  /* %lx */
+  /* UINT32_MAX should work */
+  test_eq(1, tor_sscanf("FFFFFFFF", "%lx", &ulng));
+  test_eq(0xFFFFFFFFUL, ulng);
+
+  /* But UINT32_MAX + 1 shouldn't work */
+  test_eq(0, tor_sscanf("100000000", "%lx", &ulng));
+
+  /* %ld */
+  /* INT32_MIN and INT32_MAX should work */
   r = tor_sscanf("-2147483648. 2147483647.", "%ld. %ld.", &lng1, &lng2);
   test_eq(r,2);
-  test_eq(lng1, -2147483647 - 1);
-  test_eq(lng2, 2147483647);
+  test_eq(lng1, -2147483647L - 1L);
+  test_eq(lng2, 2147483647L);
+
+  /* But INT32_MIN - 1 and INT32_MAX + 1 shouldn't work */
+  r = tor_sscanf("-2147483649.", "%ld.", &lng1);
+  test_eq(r,0);
+
+  r = tor_sscanf("2147483648.", "%ld.", &lng1);
+  test_eq(r,0);
+
+  /* and the first failure stops further processing */
+  r = tor_sscanf("-2147483648. 2147483648.",
+                 "%ld. %ld.", &lng1, &lng2);
+  test_eq(r,1);
+
+  r = tor_sscanf("-2147483649. 2147483647.",
+                 "%ld. %ld.", &lng1, &lng2);
+  test_eq(r,0);
+
+  r = tor_sscanf("2147483648. -2147483649.",
+                 "%ld. %ld.", &lng1, &lng2);
+  test_eq(r,0);
 #elif SIZEOF_LONG == 8
+  /* %lu */
+  /* UINT64_MAX should work */
+  test_eq(1, tor_sscanf("18446744073709551615", "%lu", &ulng));
+  test_eq(18446744073709551615UL, ulng);
+
+  /* But UINT64_MAX + 1 shouldn't work */
+  test_eq(0, tor_sscanf("18446744073709551616", "%lu", &ulng));
+  /* but parsing only 19... */
+  test_eq(1, tor_sscanf("18446744073709551616", "%19lu", &ulng));
+  test_eq(1844674407370955161UL, ulng);
+
+  /* %lx */
+  /* UINT64_MAX should work */
+  test_eq(1, tor_sscanf("FFFFFFFFFFFFFFFF", "%lx", &ulng));
+  test_eq(0xFFFFFFFFFFFFFFFFUL, ulng);
+
+  /* But UINT64_MAX + 1 shouldn't work */
+  test_eq(0, tor_sscanf("10000000000000000", "%lx", &ulng));
+
+  /* %ld */
+  /* INT64_MIN and INT64_MAX should work */
   r = tor_sscanf("-9223372036854775808. 9223372036854775807.",
                  "%ld. %ld.", &lng1, &lng2);
   test_eq(r,2);
-  test_eq(lng1, -9223372036854775807L - 1);
+  test_eq(lng1, -9223372036854775807L - 1L);
   test_eq(lng2, 9223372036854775807L);
 
+  /* But INT64_MIN - 1 and INT64_MAX + 1 shouldn't work */
+  r = tor_sscanf("-9223372036854775809.", "%ld.", &lng1);
+  test_eq(r,0);
+
+  r = tor_sscanf("9223372036854775808.", "%ld.", &lng1);
+  test_eq(r,0);
+
+  /* and the first failure stops further processing */
   r = tor_sscanf("-9223372036854775808. 9223372036854775808.",
                  "%ld. %ld.", &lng1, &lng2);
   test_eq(r,1);
-  r = tor_sscanf("-9223372036854775809. 9223372036854775808.",
+
+  r = tor_sscanf("-9223372036854775809. 9223372036854775807.",
+                 "%ld. %ld.", &lng1, &lng2);
+  test_eq(r,0);
+
+  r = tor_sscanf("9223372036854775808. -9223372036854775809.",
                  "%ld. %ld.", &lng1, &lng2);
   test_eq(r,0);
 #endif
@@ -2484,12 +2625,17 @@ test_util_exit_status(void *ptr)
   int n;
 
   (void)ptr;
+  
+  clear_hex_errno(hex_errno);
+  test_streq("", hex_errno);
 
   clear_hex_errno(hex_errno);
   n = format_helper_exit_status(0, 0, hex_errno);
   test_streq("0/0\n", hex_errno);
   test_eq(n, strlen(hex_errno));
 
+#if SIZEOF_INT == 4
+  
   clear_hex_errno(hex_errno);
   n = format_helper_exit_status(0, 0x7FFFFFFF, hex_errno);
   test_streq("0/7FFFFFFF\n", hex_errno);
@@ -2500,6 +2646,21 @@ test_util_exit_status(void *ptr)
   test_streq("FF/-80000000\n", hex_errno);
   test_eq(n, strlen(hex_errno));
   test_eq(n, HEX_ERRNO_SIZE);
+  
+#elif SIZEOF_INT == 8
+  
+  clear_hex_errno(hex_errno);
+  n = format_helper_exit_status(0, 0x7FFFFFFFFFFFFFFF, hex_errno);
+  test_streq("0/7FFFFFFFFFFFFFFF\n", hex_errno);
+  test_eq(n, strlen(hex_errno));
+  
+  clear_hex_errno(hex_errno);
+  n = format_helper_exit_status(0xFF, -0x8000000000000000, hex_errno);
+  test_streq("FF/-8000000000000000\n", hex_errno);
+  test_eq(n, strlen(hex_errno));
+  test_eq(n, HEX_ERRNO_SIZE);
+  
+#endif
 
   clear_hex_errno(hex_errno);
   n = format_helper_exit_status(0x7F, 0, hex_errno);
@@ -2510,6 +2671,9 @@ test_util_exit_status(void *ptr)
   n = format_helper_exit_status(0x08, -0x242, hex_errno);
   test_streq("8/-242\n", hex_errno);
   test_eq(n, strlen(hex_errno));
+  
+  clear_hex_errno(hex_errno);
+  test_streq("", hex_errno);
 
  done:
   ;
@@ -3195,6 +3359,27 @@ test_util_di_ops(void)
     test_eq(neq1, !eq1);
   }
 
+  /* exhaustively white-box test tor_memeq
+   * against each possible (single-byte) bit difference
+   * some arithmetic bugs only appear with certain bit patterns */
+  {
+  const uint8_t z = 0;
+  uint8_t ii = 0;
+  for (i = 0; i < 256; i++) {
+    ii = (uint8_t)i;
+    test_eq(tor_memeq(&z, &ii, 1), z == ii);
+  }
+
+  /* exhaustively white-box test tor_memcmp
+   * against each possible single-byte numeric difference
+   * some arithmetic bugs only appear with certain bit patterns */
+  for (i = 0; i < 256; i++) {
+    ii = (uint8_t)i;
+    test_eq(tor_memcmp(&z, &ii, 1) > 0 ? GT : EQ, z > ii ? GT : EQ);
+    test_eq(tor_memcmp(&ii, &z, 1) < 0 ? LT : EQ, ii < z ? LT : EQ);
+  }
+  }
+
   tt_int_op(1, ==, safe_mem_is_zero("", 0));
   tt_int_op(1, ==, safe_mem_is_zero("", 1));
   tt_int_op(0, ==, safe_mem_is_zero("a", 1));