Ticket #30041: 0003-Check-return-value-of-buf_move_to_buf-for-error.patch

File 0003-Check-return-value-of-buf_move_to_buf-for-error.patch, 1.6 KB (added by asn, 5 months ago)
  • src/core/mainloop/connection.c

    From 3b242a941674ba698ef024831c79e8bbbda26c71 Mon Sep 17 00:00:00 2001
    From: Tobias Stoeckmann <tobias@stoeckmann.org>
    Date: Sun, 31 Mar 2019 17:33:11 +0200
    Subject: [PATCH 3/3] Check return value of buf_move_to_buf for error.
    
    If the concatenation of connection buffer and the buffer of linked
    connection exceeds INT_MAX bytes, then buf_move_to_buf returns -1 as an
    error value.
    
    This value is currently casted to size_t (variable n_read) and will
    erroneously lead to an increasement of variable "max_to_read".
    
    This in turn can be used to call connection_buf_read_from_socket to
    store more data inside the buffer than expected and clogging the
    connection buffer.
    
    If the linked connection buffer was able to overflow INT_MAX, the call
    of buf_move_to_buf would have previously internally triggered an integer
    overflow, corrupting the state of the connection buffer.
    
    Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
    ---
     src/core/mainloop/connection.c | 4 ++++
     1 file changed, 4 insertions(+)
    
    diff --git a/src/core/mainloop/connection.c b/src/core/mainloop/connection.c
    index a56e7f9e0..51c19b4c4 100644
    a b connection_buf_read_from_socket(connection_t *conn, ssize_t *max_to_read, 
    37893789    if (conn->linked_conn) {
    37903790      result = buf_move_to_buf(conn->inbuf, conn->linked_conn->outbuf,
    37913791                               &conn->linked_conn->outbuf_flushlen);
     3792      if (BUG(result<0)) {
     3793        log_warn(LD_BUG, "reading from linked connection buffer failed.");
     3794        return -1;
     3795      }
    37923796    } else {
    37933797      result = 0;
    37943798    }