[tor-commits] [tor/release-0.4.0] Protect buffers against INT_MAX datalen overflows.

2019-08-09 Thread teor 
commit 74b2bc43fbe61e3a04fe3f5cc9f817be307e13e1
Author: Tobias Stoeckmann 
Date:   Tue Apr 9 11:59:20 2019 -0400

Protect buffers against INT_MAX datalen overflows.

Many buffer functions have a hard limit of INT_MAX for datalen, but
this limitation is not enforced in all functions:

- buf_move_all may exceed that limit with too many chunks
- buf_move_to_buf exceeds that limit with invalid buf_flushlen argument
- buf_new_with_data may exceed that limit (unit tests only)

This patch adds some annotations in some buf_pos_t functions to
guarantee that no out of boundary access could occur even if another
function lacks safe guards against datalen overflows.

  [This is a backport of the submitted patch to 0.2.9, where the
  buf_move_to_buf and buf_new_with_data functions did not exist.]
---
 src/or/buffers.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/src/or/buffers.c b/src/or/buffers.c
index 89382d1d8..394ba0ccb 100644
--- a/src/or/buffers.c
+++ b/src/or/buffers.c
@@ -394,6 +394,10 @@ buf_free(buf_t *buf)
 {
   if (!buf)
 return;
+  if (BUG(buf_out->datalen >= INT_MAX || buf_in->datalen >= INT_MAX))
+return;
+  if (BUG(buf_out->datalen >= INT_MAX - buf_in->datalen))
+return;
 
   buf_clear(buf);
   buf->magic = 0xdeadbeef;
@@ -1034,6 +1038,7 @@ buf_find_pos_of_char(char ch, buf_pos_t *out)
 static inline int
 buf_pos_inc(buf_pos_t *pos)
 {
+  tor_assert(pos->pos < INT_MAX - 1);
   ++pos->pos;
   if (pos->pos == (off_t)pos->chunk->datalen) {
 if (!pos->chunk->next)
@@ -1925,6 +1930,7 @@ buf_find_offset_of_char(buf_t *buf, char ch)
 {
   chunk_t *chunk;
   off_t offset = 0;
+  tor_assert(buf->datalen < INT_MAX);
   for (chunk = buf->head; chunk; chunk = chunk->next) {
 char *cp = memchr(chunk->data, ch, chunk->datalen);
 if (cp)
@@ -2044,6 +2050,7 @@ assert_buf_ok(buf_t *buf)
 for (ch = buf->head; ch; ch = ch->next) {
   total += ch->datalen;
   tor_assert(ch->datalen <= ch->memlen);
+  tor_assert(ch->datalen < INT_MAX);
   tor_assert(ch->data >= >mem[0]);
   tor_assert(ch->data <= >mem[0]+ch->memlen);
   if (ch->data == >mem[0]+ch->memlen) {



___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor/release-0.4.0] Protect buffers against INT_MAX datalen overflows.

2019-04-10 Thread teor 
commit 5a6ab3e7dbf601ae3cc006855f7f4e6c834cbeb2
Author: Tobias Stoeckmann 
Date:   Sun Mar 31 17:32:41 2019 +0200

Protect buffers against INT_MAX datalen overflows.

Many buffer functions have a hard limit of INT_MAX for datalen, but
this limitation is not enforced in all functions:

- buf_move_all may exceed that limit with too many chunks
- buf_move_to_buf exceeds that limit with invalid buf_flushlen argument
- buf_new_with_data may exceed that limit (unit tests only)

This patch adds some annotations in some buf_pos_t functions to
guarantee that no out of boundary access could occur even if another
function lacks safe guards against datalen overflows.

Signed-off-by: Tobias Stoeckmann 
---
 src/common/buffers.c | 11 +--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/common/buffers.c b/src/common/buffers.c
index a01add9be..3951877c5 100644
--- a/src/common/buffers.c
+++ b/src/common/buffers.c
@@ -273,7 +273,7 @@ buf_t *
 buf_new_with_data(const char *cp, size_t sz)
 {
   /* Validate arguments */
-  if (!cp || sz <= 0) {
+  if (!cp || sz <= 0 || sz >= INT_MAX) {
 return NULL;
   }
 
@@ -818,7 +818,7 @@ buf_move_to_buf(buf_t *buf_out, buf_t *buf_in, size_t 
*buf_flushlen)
   char b[4096];
   size_t cp, len;
 
-  if (BUG(buf_out->datalen >= INT_MAX))
+  if (BUG(buf_out->datalen >= INT_MAX || *buf_flushlen >= INT_MAX))
 return -1;
   if (BUG(buf_out->datalen >= INT_MAX - *buf_flushlen))
 return -1;
@@ -850,6 +850,10 @@ buf_move_all(buf_t *buf_out, buf_t *buf_in)
   tor_assert(buf_out);
   if (!buf_in)
 return;
+  if (BUG(buf_out->datalen >= INT_MAX || buf_in->datalen >= INT_MAX))
+return;
+  if (BUG(buf_out->datalen >= INT_MAX - buf_in->datalen))
+return;
 
   if (buf_out->head == NULL) {
 buf_out->head = buf_in->head;
@@ -917,6 +921,7 @@ buf_find_pos_of_char(char ch, buf_pos_t *out)
 static inline int
 buf_pos_inc(buf_pos_t *pos)
 {
+  tor_assert(pos->pos < INT_MAX - 1);
   ++pos->pos;
   if (pos->pos == (off_t)pos->chunk->datalen) {
 if (!pos->chunk->next)
@@ -997,6 +1002,7 @@ buf_find_offset_of_char(buf_t *buf, char ch)
 {
   chunk_t *chunk;
   off_t offset = 0;
+  tor_assert(buf->datalen < INT_MAX);
   for (chunk = buf->head; chunk; chunk = chunk->next) {
 char *cp = memchr(chunk->data, ch, chunk->datalen);
 if (cp)
@@ -1125,6 +1131,7 @@ buf_assert_ok(buf_t *buf)
 for (ch = buf->head; ch; ch = ch->next) {
   total += ch->datalen;
   tor_assert(ch->datalen <= ch->memlen);
+  tor_assert(ch->datalen < INT_MAX);
   tor_assert(ch->data >= >mem[0]);
   tor_assert(ch->data <= >mem[0]+ch->memlen);
   if (ch->data == >mem[0]+ch->memlen) {



___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits