[tor-commits] [tor/release-0.4.1] Check return value of buf_move_to_buf for error.
teor at torproject.org
teor at torproject.org
Fri Aug 9 21:29:59 UTC 2019
commit 0fa95308fe5fcce8842530fcae5a49188856e6ac
Author: Tobias Stoeckmann <tobias at stoeckmann.org>
Date: Sun Mar 31 17:33:11 2019 +0200
Check return value of buf_move_to_buf for error.
If the concatenation of connection buffer and the buffer of linked
connection exceeds INT_MAX bytes, then buf_move_to_buf returns -1 as an
error value.
This value is currently casted to size_t (variable n_read) and will
erroneously lead to an increasement of variable "max_to_read".
This in turn can be used to call connection_buf_read_from_socket to
store more data inside the buffer than expected and clogging the
connection buffer.
If the linked connection buffer was able to overflow INT_MAX, the call
of buf_move_to_buf would have previously internally triggered an integer
overflow, corrupting the state of the connection buffer.
Signed-off-by: Tobias Stoeckmann <tobias at stoeckmann.org>
---
src/or/connection.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/or/connection.c b/src/or/connection.c
index 791fd95c2..4f636eeb8 100644
--- a/src/or/connection.c
+++ b/src/or/connection.c
@@ -3581,6 +3581,10 @@ connection_read_to_buf(connection_t *conn, ssize_t *max_to_read,
if (conn->linked_conn) {
result = move_buf_to_buf(conn->inbuf, conn->linked_conn->outbuf,
&conn->linked_conn->outbuf_flushlen);
+ if (BUG(result<0)) {
+ log_warn(LD_BUG, "reading from linked connection buffer failed.");
+ return -1;
+ }
} else {
result = 0;
}
More information about the tor-commits
mailing list