Bulletproof the safe_timer_diff function

Originally it can overflow in some weird cases. Now it should no longer be able to do so. Additionally, limit main's timers to 30 days rather than to 38 years; we don't actually want any 38-year timers. Closes bug 17682.
2024-11-10 21:23:58 +01:00 · 2016-01-28 22:04:24 -05:00 · 2016-01-28 22:04:24 -05:00 · 601b41084a
commit 601b41084a
parent a5bed4dab2
1 changed files with 13 additions and 1 deletions
--- a/src/or/main.c
+++ b/src/or/main.c
@ -1414,11 +1414,23 @@ reschedule_directory_downloads(void)
  periodic_event_reschedule(launch_descriptor_fetches_event);
 }

+#define LONGEST_TIMER_PERIOD (30 * 86400)
+/** Helper: Return the number of seconds between <b>now</b> and <b>next</b>,
+ * clipped to the range [1 second, LONGEST_TIMER_PERIOD]. */
 static inline int
 safe_timer_diff(time_t now, time_t next)
 {
  if (next > now) {
-    tor_assert(next - now <= INT_MAX);
+    /* There were no computers at signed TIME_MIN (1902 on 32-bit systems),
+     * and nothing that could run Tor. It's a bug if 'next' is around then.
+     * On 64-bit systems with signed TIME_MIN, TIME_MIN is before the Big
+     * Bang. We cannot extrapolate past a singularity, but there was probably
+     * nothing that could run Tor then, either.
+     **/
+    tor_assert(next > TIME_MIN + LONGEST_TIMER_PERIOD);
+
+    if (next - LONGEST_TIMER_PERIOD > now)
+      return LONGEST_TIMER_PERIOD;
    return (int)(next - now);
  } else {
    return 1;