nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-10 13:13:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'bug21369_check_029_squashed' into maint-0.3.0

Browse Source
This commit is contained in:
Nick Mathewson 2017-02-27 11:25:34 -05:00
commit c51919b0da
3 changed files with 32 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
changes/bug21369_check Normal file
View File

@ -0,0 +1,3 @@
o Minor features (reliability, crash):
- Try better to detect problems in buffers where they might grow (or
think they have grown) over 2 GB in size. Diagnostic for bug 21369.

21
src/or/buffers.c
View File

@ -610,6 +610,11 @@ read_to_buf(tor_socket_t s, size_t at_most, buf_t *buf, int *reached_eof,
tor_assert(reached_eof);
tor_assert(SOCKET_OK(s));
if (BUG(buf->datalen >= INT_MAX))
return -1;
if (BUG(buf->datalen >= INT_MAX - at_most))
return -1;
while (at_most > total_read) {
size_t readlen = at_most - total_read;
chunk_t *chunk;
@ -667,6 +672,11 @@ read_to_buf_tls(tor_tls_t *tls, size_t at_most, buf_t *buf)
check();
if (BUG(buf->datalen >= INT_MAX))
return -1;
if (BUG(buf->datalen >= INT_MAX - at_most))
return -1;
while (at_most > total_read) {
size_t readlen = at_most - total_read;
chunk_t *chunk;
@ -861,6 +871,11 @@ write_to_buf(const char *string, size_t string_len, buf_t *buf)
return (int)buf->datalen;
check();
if (BUG(buf->datalen >= INT_MAX))
return -1;
if (BUG(buf->datalen >= INT_MAX - string_len))
return -1;
while (string_len) {
size_t copy;
if (!buf->tail || !CHUNK_REMAINING_CAPACITY(buf->tail))
@ -1010,6 +1025,12 @@ move_buf_to_buf(buf_t *buf_out, buf_t *buf_in, size_t *buf_flushlen)
/* We can do way better here, but this doesn't turn up in any profiles. */
char b[4096];
size_t cp, len;
if (BUG(buf_out->datalen >= INT_MAX))
return -1;
if (BUG(buf_out->datalen >= INT_MAX - *buf_flushlen))
return -1;
len = *buf_flushlen;
if (len > buf_in->datalen)
len = buf_in->datalen;

10
src/or/dirserv.c
View File

@ -3658,8 +3658,14 @@ connection_dirserv_add_dir_bytes_to_outbuf(dir_connection_t *conn)
if (bytes < 8192)
bytes = 8192;
remaining = conn->cached_dir->dir_z_len - conn->cached_dir_offset;
if (bytes > remaining)
if (BUG(remaining < 0)) {
remaining = 0;
}
if (bytes > remaining) {
bytes = (ssize_t) remaining;
if (BUG(bytes < 0))
return -1;
}
if (conn->zlib_state) {
connection_write_to_buf_zlib(
@ -3670,7 +3676,7 @@ connection_dirserv_add_dir_bytes_to_outbuf(dir_connection_t *conn)
bytes, TO_CONN(conn));
}
conn->cached_dir_offset += bytes;
if (conn->cached_dir_offset == (int)conn->cached_dir->dir_z_len) {
if (conn->cached_dir_offset >= (off_t)conn->cached_dir->dir_z_len) {
/* We just wrote the last one; finish up. */
connection_dirserv_finish_spooling(conn);
cached_dir_decref(conn->cached_dir);