[tor-bugs] #26348 [Obfuscation/Snowflake]: Guard against large reads

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Jun 10 23:55:16 UTC 2018


#26348: Guard against large reads
---------------------------------------+--------------------
     Reporter:  dcf                    |      Owner:  (none)
         Type:  defect                 |     Status:  new
     Priority:  Medium                 |  Milestone:
    Component:  Obfuscation/Snowflake  |    Version:
     Severity:  Normal                 |   Keywords:  easy
Actual Points:                         |  Parent ID:
       Points:                         |   Reviewer:
      Sponsor:                         |
---------------------------------------+--------------------
 Snowflake code calls ioutil.ReadAll from a socket/HTTP in many places in
 the code: [https://gitweb.torproject.org/pluggable-
 transports/snowflake.git/tree/broker/broker.go?id=25b304a9a856f8c791882ad523df26ffc8fa629c#n123
 1] [https://gitweb.torproject.org/pluggable-
 transports/snowflake.git/tree/broker/broker.go?id=25b304a9a856f8c791882ad523df26ffc8fa629c#n153
 2] [https://gitweb.torproject.org/pluggable-
 transports/snowflake.git/tree/broker/broker.go?id=25b304a9a856f8c791882ad523df26ffc8fa629c#n200
 3] [https://gitweb.torproject.org/pluggable-
 transports/snowflake.git/tree/client/rendezvous.go?id=25b304a9a856f8c791882ad523df26ffc8fa629c#n100
 4] [https://gitweb.torproject.org/pluggable-transports/snowflake.git/tree
 /proxy-go/snowflake.go?id=25b304a9a856f8c791882ad523df26ffc8fa629c#n160
 5].

 These should all get an [https://golang.org/pkg/io/#LimitReader
 io.LimitReader] or [https://golang.org/pkg/net/http/#MaxBytesReader
 http.MaxBytesReader] with a limit of 100 KB or so. Like
 [https://gitweb.torproject.org/pluggable-transports/snowflake.git/tree
 /server-webrtc/http.go?id=25b304a9a856f8c791882ad523df26ffc8fa629c#n40
 this one]:
 {{{
         body, err := ioutil.ReadAll(http.MaxBytesReader(w, req.Body,
 100000))
         if err != nil {
                 http.Error(w, "Bad request.", http.StatusBadRequest)
                 return
         }
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26348>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list