From fd3e0c154236c59c2972b549500675980bb02507 Mon Sep 17 00:00:00 2001 From: cypherpunks Date: Tue, 3 Mar 2020 07:01:05 +0000 Subject: [PATCH 1/7] core/mainloop: Limit growth of conn->inbuf If the buf_t's length could potentially become greater than INT_MAX - 1, it sets off an IF_BUG_ONCE in buf_read_from_tls(). All of the rest of the buffers.c code has similar BUG/asserts for this invariant. --- changes/bug33131 | 3 +++ src/core/mainloop/connection.c | 9 +++++++++ 2 files changed, 12 insertions(+) create mode 100644 changes/bug33131 diff --git a/changes/bug33131 b/changes/bug33131 new file mode 100644 index 0000000000..bc5ef7bc2d --- /dev/null +++ b/changes/bug33131 @@ -0,0 +1,3 @@ + o Minor bugfixes (mainloop): + - Better guard against growing a buffer past its maximum 2GB in size. + Fixes bug 33131; bugfix on 0.3.0.4-rc. diff --git a/src/core/mainloop/connection.c b/src/core/mainloop/connection.c index 3595bba85c..3c8527dd53 100644 --- a/src/core/mainloop/connection.c +++ b/src/core/mainloop/connection.c @@ -3684,6 +3684,15 @@ connection_buf_read_from_socket(connection_t *conn, ssize_t *max_to_read, at_most = connection_bucket_read_limit(conn, approx_time()); } + /* Do not allow inbuf to grow past INT_MAX - 1. */ + const ssize_t maximum = INT_MAX - 1 - buf_datalen(conn->inbuf); + if (at_most > maximum) { + log_debug(LD_NET, "%d: inbuf_datalen=%"TOR_PRIuSZ", adding %" + TOR_PRIdSZ" might overflow.", + (int)conn->s, buf_datalen(conn->inbuf), at_most); + at_most = maximum; + } + slack_in_buf = buf_slack(conn->inbuf); again: if ((size_t)at_most > slack_in_buf && slack_in_buf >= 1024) { From 84fe1c891bc77a2363a119f3c7dc834127bcacc7 Mon Sep 17 00:00:00 2001 From: cypherpunks Date: Thu, 12 Mar 2020 19:55:12 +0000 Subject: [PATCH 2/7] core/mainloop: remove noisy logging --- src/core/mainloop/connection.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/core/mainloop/connection.c b/src/core/mainloop/connection.c index 3c8527dd53..218873ae66 100644 --- a/src/core/mainloop/connection.c +++ b/src/core/mainloop/connection.c @@ -3687,9 +3687,6 @@ connection_buf_read_from_socket(connection_t *conn, ssize_t *max_to_read, /* Do not allow inbuf to grow past INT_MAX - 1. */ const ssize_t maximum = INT_MAX - 1 - buf_datalen(conn->inbuf); if (at_most > maximum) { - log_debug(LD_NET, "%d: inbuf_datalen=%"TOR_PRIuSZ", adding %" - TOR_PRIdSZ" might overflow.", - (int)conn->s, buf_datalen(conn->inbuf), at_most); at_most = maximum; } From f46b9320ae32f00aa97a397b33eaa7abdcb47fe3 Mon Sep 17 00:00:00 2001 From: cypherpunks Date: Thu, 12 Mar 2020 16:02:00 +0000 Subject: [PATCH 3/7] buf: add BUF_MAX_LEN --- src/core/mainloop/connection.c | 4 ++-- src/lib/buf/buffers.h | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/src/core/mainloop/connection.c b/src/core/mainloop/connection.c index 708fb13cdb..f692da650d 100644 --- a/src/core/mainloop/connection.c +++ b/src/core/mainloop/connection.c @@ -3804,8 +3804,8 @@ connection_buf_read_from_socket(connection_t *conn, ssize_t *max_to_read, at_most = connection_bucket_read_limit(conn, approx_time()); } - /* Do not allow inbuf to grow past INT_MAX - 1. */ - const ssize_t maximum = INT_MAX - 1 - buf_datalen(conn->inbuf); + /* Do not allow inbuf to grow past BUF_MAX_LEN. */ + const ssize_t maximum = BUF_MAX_LEN - buf_datalen(conn->inbuf); if (at_most > maximum) { at_most = maximum; } diff --git a/src/lib/buf/buffers.h b/src/lib/buf/buffers.h index fadd4174c0..d8a77feb72 100644 --- a/src/lib/buf/buffers.h +++ b/src/lib/buf/buffers.h @@ -29,6 +29,9 @@ void buf_free_(buf_t *buf); void buf_clear(buf_t *buf); buf_t *buf_copy(const buf_t *buf); +/** Maximum bytes in a buffer, inclusive. */ +#define BUF_MAX_LEN (INT_MAX - 1) + MOCK_DECL(size_t, buf_datalen, (const buf_t *buf)); size_t buf_allocation(const buf_t *buf); size_t buf_slack(const buf_t *buf); From bb3eda8617ad06b647542da0f6d62f7dafe31a87 Mon Sep 17 00:00:00 2001 From: cypherpunks Date: Thu, 12 Mar 2020 19:15:43 +0000 Subject: [PATCH 4/7] net, tls: use INT_MAX - 1 in checks for buf_t No functionality change. --- src/lib/net/buffers_net.c | 12 ++++++------ src/lib/tls/buffers_tls.c | 8 ++++---- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/src/lib/net/buffers_net.c b/src/lib/net/buffers_net.c index aa84451074..db0179b8d3 100644 --- a/src/lib/net/buffers_net.c +++ b/src/lib/net/buffers_net.c @@ -76,7 +76,7 @@ read_to_chunk(buf_t *buf, chunk_t *chunk, tor_socket_t fd, size_t at_most, chunk->datalen += read_result; log_debug(LD_NET,"Read %ld bytes. %d on inbuf.", (long)read_result, (int)buf->datalen); - tor_assert(read_result < INT_MAX); + tor_assert(read_result <= INT_MAX - 1); return (int)read_result; } } @@ -103,9 +103,9 @@ buf_read_from_fd(buf_t *buf, int fd, size_t at_most, tor_assert(reached_eof); tor_assert(SOCKET_OK(fd)); - if (BUG(buf->datalen >= INT_MAX)) + if (BUG(buf->datalen > INT_MAX - 1)) return -1; - if (BUG(buf->datalen >= INT_MAX - at_most)) + if (BUG(buf->datalen > INT_MAX - 1 - at_most)) return -1; while (at_most > total_read) { @@ -127,7 +127,7 @@ buf_read_from_fd(buf_t *buf, int fd, size_t at_most, check(); if (r < 0) return r; /* Error */ - tor_assert(total_read+r < INT_MAX); + tor_assert(total_read+r <= INT_MAX - 1); total_read += r; if ((size_t)r < readlen) { /* eof, block, or no more to read. */ break; @@ -170,7 +170,7 @@ flush_chunk(tor_socket_t fd, buf_t *buf, chunk_t *chunk, size_t sz, } else { *buf_flushlen -= write_result; buf_drain(buf, write_result); - tor_assert(write_result < INT_MAX); + tor_assert(write_result <= INT_MAX - 1); return (int)write_result; } } @@ -217,7 +217,7 @@ buf_flush_to_fd(buf_t *buf, int fd, size_t sz, if (r == 0 || (size_t)r < flushlen0) /* can't flush any more now. */ break; } - tor_assert(flushed < INT_MAX); + tor_assert(flushed <= INT_MAX - 1); return (int)flushed; } diff --git a/src/lib/tls/buffers_tls.c b/src/lib/tls/buffers_tls.c index 87055744a7..b1e5cb8eed 100644 --- a/src/lib/tls/buffers_tls.c +++ b/src/lib/tls/buffers_tls.c @@ -68,9 +68,9 @@ buf_read_from_tls(buf_t *buf, tor_tls_t *tls, size_t at_most) check_no_tls_errors(); - IF_BUG_ONCE(buf->datalen >= INT_MAX) + IF_BUG_ONCE(buf->datalen > INT_MAX - 1) return TOR_TLS_ERROR_MISC; - IF_BUG_ONCE(buf->datalen >= INT_MAX - at_most) + IF_BUG_ONCE(buf->datalen > INT_MAX - 1 - at_most) return TOR_TLS_ERROR_MISC; while (at_most > total_read) { @@ -90,7 +90,7 @@ buf_read_from_tls(buf_t *buf, tor_tls_t *tls, size_t at_most) r = read_to_chunk_tls(buf, chunk, tls, readlen); if (r < 0) return r; /* Error */ - tor_assert(total_read+r < INT_MAX); + tor_assert(total_read+r <= INT_MAX - 1); total_read += r; if ((size_t)r < readlen) /* eof, block, or no more to read. */ break; @@ -177,6 +177,6 @@ buf_flush_to_tls(buf_t *buf, tor_tls_t *tls, size_t flushlen, if (r == 0) /* Can't flush any more now. */ break; } while (sz > 0); - tor_assert(flushed < INT_MAX); + tor_assert(flushed <= INT_MAX - 1); return (int)flushed; } From 9ce95138980bae2947256d7b91a2a390d0cdbbb9 Mon Sep 17 00:00:00 2001 From: cypherpunks Date: Thu, 12 Mar 2020 19:16:36 +0000 Subject: [PATCH 5/7] buf: use INT_MAX - 1 in checks No functionality change. --- src/lib/buf/buffers.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/src/lib/buf/buffers.c b/src/lib/buf/buffers.c index 09a074edcc..349242ae9f 100644 --- a/src/lib/buf/buffers.c +++ b/src/lib/buf/buffers.c @@ -285,7 +285,7 @@ buf_t * buf_new_with_data(const char *cp, size_t sz) { /* Validate arguments */ - if (!cp || sz <= 0 || sz >= INT_MAX) { + if (!cp || sz <= 0 || sz > INT_MAX - 1) { return NULL; } @@ -530,9 +530,9 @@ buf_add(buf_t *buf, const char *string, size_t string_len) return (int)buf->datalen; check(); - if (BUG(buf->datalen >= INT_MAX)) + if (BUG(buf->datalen > INT_MAX - 1)) return -1; - if (BUG(buf->datalen >= INT_MAX - string_len)) + if (BUG(buf->datalen > INT_MAX - 1 - string_len)) return -1; while (string_len) { @@ -551,7 +551,7 @@ buf_add(buf_t *buf, const char *string, size_t string_len) } check(); - tor_assert(buf->datalen < INT_MAX); + tor_assert(buf->datalen <= INT_MAX - 1); return (int)buf->datalen; } @@ -645,7 +645,7 @@ buf_get_bytes(buf_t *buf, char *string, size_t string_len) buf_peek(buf, string, string_len); buf_drain(buf, string_len); check(); - tor_assert(buf->datalen < INT_MAX); + tor_assert(buf->datalen <= INT_MAX - 1); return (int)buf->datalen; } @@ -660,9 +660,9 @@ buf_move_to_buf(buf_t *buf_out, buf_t *buf_in, size_t *buf_flushlen) char b[4096]; size_t cp, len; - if (BUG(buf_out->datalen >= INT_MAX || *buf_flushlen >= INT_MAX)) + if (BUG(buf_out->datalen > INT_MAX - 1 || *buf_flushlen > INT_MAX - 1)) return -1; - if (BUG(buf_out->datalen >= INT_MAX - *buf_flushlen)) + if (BUG(buf_out->datalen > INT_MAX - 1 - *buf_flushlen)) return -1; len = *buf_flushlen; @@ -670,7 +670,7 @@ buf_move_to_buf(buf_t *buf_out, buf_t *buf_in, size_t *buf_flushlen) len = buf_in->datalen; cp = len; /* Remember the number of bytes we intend to copy. */ - tor_assert(cp < INT_MAX); + tor_assert(cp <= INT_MAX - 1); while (len) { /* This isn't the most efficient implementation one could imagine, since * it does two copies instead of 1, but I kinda doubt that this will be @@ -692,9 +692,9 @@ buf_move_all(buf_t *buf_out, buf_t *buf_in) tor_assert(buf_out); if (!buf_in) return; - if (BUG(buf_out->datalen >= INT_MAX || buf_in->datalen >= INT_MAX)) + if (BUG(buf_out->datalen > INT_MAX - 1 || buf_in->datalen > INT_MAX - 1)) return; - if (BUG(buf_out->datalen >= INT_MAX - buf_in->datalen)) + if (BUG(buf_out->datalen > INT_MAX - 1 - buf_in->datalen)) return; if (buf_out->head == NULL) { @@ -748,7 +748,7 @@ buf_find_pos_of_char(char ch, buf_pos_t *out) char *cp = memchr(chunk->data+pos, ch, chunk->datalen - pos); if (cp) { out->chunk = chunk; - tor_assert(cp - chunk->data < INT_MAX); + tor_assert(cp - chunk->data <= INT_MAX - 1); out->pos = (int)(cp - chunk->data); return out->chunk_pos + out->pos; } else { @@ -811,7 +811,7 @@ buf_find_string_offset(const buf_t *buf, const char *s, size_t n) buf_pos_init(buf, &pos); while (buf_find_pos_of_char(*s, &pos) >= 0) { if (buf_matches_at_pos(&pos, s, n)) { - tor_assert(pos.chunk_pos + pos.pos < INT_MAX); + tor_assert(pos.chunk_pos + pos.pos <= INT_MAX - 1); return (int)(pos.chunk_pos + pos.pos); } else { if (buf_pos_inc(&pos)<0) @@ -845,7 +845,7 @@ buf_find_offset_of_char(buf_t *buf, char ch) { chunk_t *chunk; ptrdiff_t offset = 0; - tor_assert(buf->datalen < INT_MAX); + tor_assert(buf->datalen <= INT_MAX - 1); for (chunk = buf->head; chunk; chunk = chunk->next) { char *cp = memchr(chunk->data, ch, chunk->datalen); if (cp) @@ -915,7 +915,7 @@ buf_assert_ok(buf_t *buf) for (ch = buf->head; ch; ch = ch->next) { total += ch->datalen; tor_assert(ch->datalen <= ch->memlen); - tor_assert(ch->datalen < INT_MAX); + tor_assert(ch->datalen <= INT_MAX - 1); tor_assert(ch->data >= &ch->mem[0]); tor_assert(ch->data <= &ch->mem[0]+ch->memlen); if (ch->data == &ch->mem[0]+ch->memlen) { From 9e988406c7a12a9b46f5aa0344eb2e07500740ed Mon Sep 17 00:00:00 2001 From: cypherpunks Date: Thu, 12 Mar 2020 19:20:23 +0000 Subject: [PATCH 6/7] net, tls: use BUF_MAX_LEN --- src/lib/net/buffers_net.c | 12 ++++++------ src/lib/tls/buffers_tls.c | 8 ++++---- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/src/lib/net/buffers_net.c b/src/lib/net/buffers_net.c index db0179b8d3..4dbf491e1a 100644 --- a/src/lib/net/buffers_net.c +++ b/src/lib/net/buffers_net.c @@ -76,7 +76,7 @@ read_to_chunk(buf_t *buf, chunk_t *chunk, tor_socket_t fd, size_t at_most, chunk->datalen += read_result; log_debug(LD_NET,"Read %ld bytes. %d on inbuf.", (long)read_result, (int)buf->datalen); - tor_assert(read_result <= INT_MAX - 1); + tor_assert(read_result <= BUF_MAX_LEN); return (int)read_result; } } @@ -103,9 +103,9 @@ buf_read_from_fd(buf_t *buf, int fd, size_t at_most, tor_assert(reached_eof); tor_assert(SOCKET_OK(fd)); - if (BUG(buf->datalen > INT_MAX - 1)) + if (BUG(buf->datalen > BUF_MAX_LEN)) return -1; - if (BUG(buf->datalen > INT_MAX - 1 - at_most)) + if (BUG(buf->datalen > BUF_MAX_LEN - at_most)) return -1; while (at_most > total_read) { @@ -127,7 +127,7 @@ buf_read_from_fd(buf_t *buf, int fd, size_t at_most, check(); if (r < 0) return r; /* Error */ - tor_assert(total_read+r <= INT_MAX - 1); + tor_assert(total_read+r <= BUF_MAX_LEN); total_read += r; if ((size_t)r < readlen) { /* eof, block, or no more to read. */ break; @@ -170,7 +170,7 @@ flush_chunk(tor_socket_t fd, buf_t *buf, chunk_t *chunk, size_t sz, } else { *buf_flushlen -= write_result; buf_drain(buf, write_result); - tor_assert(write_result <= INT_MAX - 1); + tor_assert(write_result <= BUF_MAX_LEN); return (int)write_result; } } @@ -217,7 +217,7 @@ buf_flush_to_fd(buf_t *buf, int fd, size_t sz, if (r == 0 || (size_t)r < flushlen0) /* can't flush any more now. */ break; } - tor_assert(flushed <= INT_MAX - 1); + tor_assert(flushed <= BUF_MAX_LEN); return (int)flushed; } diff --git a/src/lib/tls/buffers_tls.c b/src/lib/tls/buffers_tls.c index b1e5cb8eed..b92a14d6a1 100644 --- a/src/lib/tls/buffers_tls.c +++ b/src/lib/tls/buffers_tls.c @@ -68,9 +68,9 @@ buf_read_from_tls(buf_t *buf, tor_tls_t *tls, size_t at_most) check_no_tls_errors(); - IF_BUG_ONCE(buf->datalen > INT_MAX - 1) + IF_BUG_ONCE(buf->datalen > BUF_MAX_LEN) return TOR_TLS_ERROR_MISC; - IF_BUG_ONCE(buf->datalen > INT_MAX - 1 - at_most) + IF_BUG_ONCE(buf->datalen > BUF_MAX_LEN - at_most) return TOR_TLS_ERROR_MISC; while (at_most > total_read) { @@ -90,7 +90,7 @@ buf_read_from_tls(buf_t *buf, tor_tls_t *tls, size_t at_most) r = read_to_chunk_tls(buf, chunk, tls, readlen); if (r < 0) return r; /* Error */ - tor_assert(total_read+r <= INT_MAX - 1); + tor_assert(total_read+r <= BUF_MAX_LEN); total_read += r; if ((size_t)r < readlen) /* eof, block, or no more to read. */ break; @@ -177,6 +177,6 @@ buf_flush_to_tls(buf_t *buf, tor_tls_t *tls, size_t flushlen, if (r == 0) /* Can't flush any more now. */ break; } while (sz > 0); - tor_assert(flushed <= INT_MAX - 1); + tor_assert(flushed <= BUF_MAX_LEN); return (int)flushed; } From 64a934ff05575d63401fcdfdc6363df32191106c Mon Sep 17 00:00:00 2001 From: cypherpunks Date: Thu, 12 Mar 2020 19:23:11 +0000 Subject: [PATCH 7/7] buf: use BUF_MAX_LEN --- src/lib/buf/buffers.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/src/lib/buf/buffers.c b/src/lib/buf/buffers.c index 349242ae9f..95b384bf06 100644 --- a/src/lib/buf/buffers.c +++ b/src/lib/buf/buffers.c @@ -285,7 +285,7 @@ buf_t * buf_new_with_data(const char *cp, size_t sz) { /* Validate arguments */ - if (!cp || sz <= 0 || sz > INT_MAX - 1) { + if (!cp || sz <= 0 || sz > BUF_MAX_LEN) { return NULL; } @@ -530,9 +530,9 @@ buf_add(buf_t *buf, const char *string, size_t string_len) return (int)buf->datalen; check(); - if (BUG(buf->datalen > INT_MAX - 1)) + if (BUG(buf->datalen > BUF_MAX_LEN)) return -1; - if (BUG(buf->datalen > INT_MAX - 1 - string_len)) + if (BUG(buf->datalen > BUF_MAX_LEN - string_len)) return -1; while (string_len) { @@ -551,7 +551,7 @@ buf_add(buf_t *buf, const char *string, size_t string_len) } check(); - tor_assert(buf->datalen <= INT_MAX - 1); + tor_assert(buf->datalen <= BUF_MAX_LEN); return (int)buf->datalen; } @@ -645,7 +645,7 @@ buf_get_bytes(buf_t *buf, char *string, size_t string_len) buf_peek(buf, string, string_len); buf_drain(buf, string_len); check(); - tor_assert(buf->datalen <= INT_MAX - 1); + tor_assert(buf->datalen <= BUF_MAX_LEN); return (int)buf->datalen; } @@ -660,9 +660,9 @@ buf_move_to_buf(buf_t *buf_out, buf_t *buf_in, size_t *buf_flushlen) char b[4096]; size_t cp, len; - if (BUG(buf_out->datalen > INT_MAX - 1 || *buf_flushlen > INT_MAX - 1)) + if (BUG(buf_out->datalen > BUF_MAX_LEN || *buf_flushlen > BUF_MAX_LEN)) return -1; - if (BUG(buf_out->datalen > INT_MAX - 1 - *buf_flushlen)) + if (BUG(buf_out->datalen > BUF_MAX_LEN - *buf_flushlen)) return -1; len = *buf_flushlen; @@ -670,7 +670,7 @@ buf_move_to_buf(buf_t *buf_out, buf_t *buf_in, size_t *buf_flushlen) len = buf_in->datalen; cp = len; /* Remember the number of bytes we intend to copy. */ - tor_assert(cp <= INT_MAX - 1); + tor_assert(cp <= BUF_MAX_LEN); while (len) { /* This isn't the most efficient implementation one could imagine, since * it does two copies instead of 1, but I kinda doubt that this will be @@ -692,9 +692,9 @@ buf_move_all(buf_t *buf_out, buf_t *buf_in) tor_assert(buf_out); if (!buf_in) return; - if (BUG(buf_out->datalen > INT_MAX - 1 || buf_in->datalen > INT_MAX - 1)) + if (BUG(buf_out->datalen > BUF_MAX_LEN || buf_in->datalen > BUF_MAX_LEN)) return; - if (BUG(buf_out->datalen > INT_MAX - 1 - buf_in->datalen)) + if (BUG(buf_out->datalen > BUF_MAX_LEN - buf_in->datalen)) return; if (buf_out->head == NULL) { @@ -748,7 +748,7 @@ buf_find_pos_of_char(char ch, buf_pos_t *out) char *cp = memchr(chunk->data+pos, ch, chunk->datalen - pos); if (cp) { out->chunk = chunk; - tor_assert(cp - chunk->data <= INT_MAX - 1); + tor_assert(cp - chunk->data <= BUF_MAX_LEN); out->pos = (int)(cp - chunk->data); return out->chunk_pos + out->pos; } else { @@ -764,7 +764,7 @@ buf_find_pos_of_char(char ch, buf_pos_t *out) static inline int buf_pos_inc(buf_pos_t *pos) { - tor_assert(pos->pos < INT_MAX - 1); + tor_assert(pos->pos < BUF_MAX_LEN); ++pos->pos; if (pos->pos == (ptrdiff_t)pos->chunk->datalen) { if (!pos->chunk->next) @@ -811,7 +811,7 @@ buf_find_string_offset(const buf_t *buf, const char *s, size_t n) buf_pos_init(buf, &pos); while (buf_find_pos_of_char(*s, &pos) >= 0) { if (buf_matches_at_pos(&pos, s, n)) { - tor_assert(pos.chunk_pos + pos.pos <= INT_MAX - 1); + tor_assert(pos.chunk_pos + pos.pos <= BUF_MAX_LEN); return (int)(pos.chunk_pos + pos.pos); } else { if (buf_pos_inc(&pos)<0) @@ -845,7 +845,7 @@ buf_find_offset_of_char(buf_t *buf, char ch) { chunk_t *chunk; ptrdiff_t offset = 0; - tor_assert(buf->datalen <= INT_MAX - 1); + tor_assert(buf->datalen <= BUF_MAX_LEN); for (chunk = buf->head; chunk; chunk = chunk->next) { char *cp = memchr(chunk->data, ch, chunk->datalen); if (cp) @@ -915,7 +915,7 @@ buf_assert_ok(buf_t *buf) for (ch = buf->head; ch; ch = ch->next) { total += ch->datalen; tor_assert(ch->datalen <= ch->memlen); - tor_assert(ch->datalen <= INT_MAX - 1); + tor_assert(ch->datalen <= BUF_MAX_LEN); tor_assert(ch->data >= &ch->mem[0]); tor_assert(ch->data <= &ch->mem[0]+ch->memlen); if (ch->data == &ch->mem[0]+ch->memlen) {