Ticket #30041: 0002-Protect-buffers-against-INT_MAX-datalen-overflows.patch

File 0002-Protect-buffers-against-INT_MAX-datalen-overflows.patch, 2.7 KB (added by asn, 6 months ago)
  • src/lib/buf/buffers.c

    From fbc0b9f71ca4be43ae7638747217006805d47b81 Mon Sep 17 00:00:00 2001
    From: Tobias Stoeckmann <tobias@stoeckmann.org>
    Date: Sun, 31 Mar 2019 17:32:41 +0200
    Subject: [PATCH 2/3] Protect buffers against INT_MAX datalen overflows.
    
    Many buffer functions have a hard limit of INT_MAX for datalen, but
    this limitation is not enforced in all functions:
    
    - buf_move_all may exceed that limit with too many chunks
    - buf_move_to_buf exceeds that limit with invalid buf_flushlen argument
    - buf_new_with_data may exceed that limit (unit tests only)
    
    This patch adds some annotations in some buf_pos_t functions to
    guarantee that no out of boundary access could occur even if another
    function lacks safe guards against datalen overflows.
    
    Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
    ---
     src/lib/buf/buffers.c | 11 +++++++++--
     1 file changed, 9 insertions(+), 2 deletions(-)
    
    diff --git a/src/lib/buf/buffers.c b/src/lib/buf/buffers.c
    index e7a3b87df..88a25b847 100644
    a b buf_t * 
    283283buf_new_with_data(const char *cp, size_t sz)
    284284{
    285285  /* Validate arguments */
    286   if (!cp || sz <= 0) {
     286  if (!cp || sz <= 0 || sz >= INT_MAX) {
    287287    return NULL;
    288288  }
    289289
    buf_move_to_buf(buf_t *buf_out, buf_t *buf_in, size_t *buf_flushlen) 
    657657  char b[4096];
    658658  size_t cp, len;
    659659
    660   if (BUG(buf_out->datalen >= INT_MAX))
     660  if (BUG(buf_out->datalen >= INT_MAX || *buf_flushlen >= INT_MAX))
    661661    return -1;
    662662  if (BUG(buf_out->datalen >= INT_MAX - *buf_flushlen))
    663663    return -1;
    buf_move_all(buf_t *buf_out, buf_t *buf_in) 
    689689  tor_assert(buf_out);
    690690  if (!buf_in)
    691691    return;
     692  if (BUG(buf_out->datalen >= INT_MAX || buf_in->datalen >= INT_MAX))
     693    return;
     694  if (BUG(buf_out->datalen >= INT_MAX - buf_in->datalen))
     695    return;
    692696
    693697  if (buf_out->head == NULL) {
    694698    buf_out->head = buf_in->head;
    buf_find_pos_of_char(char ch, buf_pos_t *out) 
    756760static inline int
    757761buf_pos_inc(buf_pos_t *pos)
    758762{
     763  tor_assert(pos->pos < INT_MAX - 1);
    759764  ++pos->pos;
    760765  if (pos->pos == (off_t)pos->chunk->datalen) {
    761766    if (!pos->chunk->next)
    buf_find_offset_of_char(buf_t *buf, char ch) 
    836841{
    837842  chunk_t *chunk;
    838843  off_t offset = 0;
     844  tor_assert(buf->datalen < INT_MAX);
    839845  for (chunk = buf->head; chunk; chunk = chunk->next) {
    840846    char *cp = memchr(chunk->data, ch, chunk->datalen);
    841847    if (cp)
    buf_assert_ok(buf_t *buf) 
    905911    for (ch = buf->head; ch; ch = ch->next) {
    906912      total += ch->datalen;
    907913      tor_assert(ch->datalen <= ch->memlen);
     914      tor_assert(ch->datalen < INT_MAX);
    908915      tor_assert(ch->data >= &ch->mem[0]);
    909916      tor_assert(ch->data <= &ch->mem[0]+ch->memlen);
    910917      if (ch->data == &ch->mem[0]+ch->memlen) {