[tor-bugs] #26348 [Obfuscation/Snowflake]: Guard against large reads
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Jun 10 23:55:16 UTC 2018
#26348: Guard against large reads
---------------------------------------+--------------------
Reporter: dcf | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Obfuscation/Snowflake | Version:
Severity: Normal | Keywords: easy
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
---------------------------------------+--------------------
Snowflake code calls ioutil.ReadAll from a socket/HTTP in many places in
the code: [https://gitweb.torproject.org/pluggable-
transports/snowflake.git/tree/broker/broker.go?id=25b304a9a856f8c791882ad523df26ffc8fa629c#n123
1] [https://gitweb.torproject.org/pluggable-
transports/snowflake.git/tree/broker/broker.go?id=25b304a9a856f8c791882ad523df26ffc8fa629c#n153
2] [https://gitweb.torproject.org/pluggable-
transports/snowflake.git/tree/broker/broker.go?id=25b304a9a856f8c791882ad523df26ffc8fa629c#n200
3] [https://gitweb.torproject.org/pluggable-
transports/snowflake.git/tree/client/rendezvous.go?id=25b304a9a856f8c791882ad523df26ffc8fa629c#n100
4] [https://gitweb.torproject.org/pluggable-transports/snowflake.git/tree
/proxy-go/snowflake.go?id=25b304a9a856f8c791882ad523df26ffc8fa629c#n160
5].
These should all get an [https://golang.org/pkg/io/#LimitReader
io.LimitReader] or [https://golang.org/pkg/net/http/#MaxBytesReader
http.MaxBytesReader] with a limit of 100 KB or so. Like
[https://gitweb.torproject.org/pluggable-transports/snowflake.git/tree
/server-webrtc/http.go?id=25b304a9a856f8c791882ad523df26ffc8fa629c#n40
this one]:
{{{
body, err := ioutil.ReadAll(http.MaxBytesReader(w, req.Body,
100000))
if err != nil {
http.Error(w, "Bad request.", http.StatusBadRequest)
return
}
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26348>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list