Fix integer overflow in the rate-limiter (#19435).

changes/bug19435

@@ -0,0 +1,6 @@
+  o Major bugfixes (user interface):
+    - Fix an integer overflow in the rate-limiter that caused displaying of
+      wrong number of suppressed messages (if there are too many of them).
+      If the number of messages hits the limit of messages per interval the
+      rate-limiter drops a warning and doesn't count any further.
+      Fixes bug 19435.

src/common/util.c

@@ -1983,7 +1983,9 @@ update_approx_time(time_t now)
 
 /** If the rate-limiter <b>lim</b> is ready at <b>now</b>, return the number
  * of calls to rate_limit_is_ready (including this one!) since the last time
- * rate_limit_is_ready returned nonzero.  Otherwise return 0. */
+ * rate_limit_is_ready returned nonzero.  Otherwise return 0.
+ * If the call number hits <b>RATELIM_TOOMANY</b> limit, drop a warning
+ * about this event and stop counting. */
 static int
 rate_limit_is_ready(ratelim_t *lim, time_t now)
 {
@@ -1993,7 +1995,15 @@ rate_limit_is_ready(ratelim_t *lim, time_t now)
     lim->n_calls_since_last_time = 0;
     return res;
   } else {
-    ++lim->n_calls_since_last_time;
+    if (lim->n_calls_since_last_time < RATELIM_TOOMANY) {
+      ++lim->n_calls_since_last_time;
+    } else if (lim->n_calls_since_last_time == RATELIM_TOOMANY) {
+      log_warn(LD_GENERAL,
+        "Enormously large number of messages (%d). It's probably a bug.",
+        RATELIM_TOOMANY);
+      ++lim->n_calls_since_last_time;
+    }
+
     return 0;
   }
 }

src/common/util.h

@@ -292,6 +292,7 @@ typedef struct ratelim_t {
 } ratelim_t;
 
 #define RATELIM_INIT(r) { (r), 0, 0 }
+#define RATELIM_TOOMANY (16*1000)
 
 char *rate_limit_log(ratelim_t *lim, time_t now);