nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-10 21:23:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

Check return value of buf_move_to_buf for error.

Browse Source 
If the concatenation of connection buffer and the buffer of linked
connection exceeds INT_MAX bytes, then buf_move_to_buf returns -1 as an
error value.

This value is currently casted to size_t (variable n_read) and will
erroneously lead to an increasement of variable "max_to_read".

This in turn can be used to call connection_buf_read_from_socket to
store more data inside the buffer than expected and clogging the
connection buffer.

If the linked connection buffer was able to overflow INT_MAX, the call
of buf_move_to_buf would have previously internally triggered an integer
overflow, corrupting the state of the connection buffer.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
This commit is contained in:
Tobias Stoeckmann 2019-03-31 17:33:11 +02:00 committed by Nick Mathewson
parent 5a6ab3e7db
commit a628e36024
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/or/connection.c
View File

@ -3561,6 +3561,10 @@ connection_buf_read_from_socket(connection_t *conn, ssize_t *max_to_read,
if (conn->linked_conn) {
result = buf_move_to_buf(conn->inbuf, conn->linked_conn->outbuf,
&conn->linked_conn->outbuf_flushlen);
if (BUG(result<0)) {
log_warn(LD_BUG, "reading from linked connection buffer failed.");
return -1;
}
} else {
result = 0;
}