From 71ee53fe9bdf3f64eef9b38de55960185e8be1b5 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Tue, 3 Mar 2015 22:20:17 +0100 Subject: [PATCH 1/3] Do not leave empty, invalid chunks in buffers during buf_pullup This fixes an assertion failure bug in 15083; bugfix on 0.2.0.10-alpha. Patch from 'cypherpunks' --- changes/bug15083 | 6 ++++++ src/or/buffers.c | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 changes/bug15083 diff --git a/changes/bug15083 b/changes/bug15083 new file mode 100644 index 000000000..98d1d0e53 --- /dev/null +++ b/changes/bug15083 @@ -0,0 +1,6 @@ + o Major bugfixes (relay, stability): + - Fix a bug that could lead to a relay crashing with an assertion + failure if a buffer of exactly the wrong layout was passed + to buf_pullup() at exactly the wrong time. Fixes bug 15083; + bugfix on 0.2.0.10-alpha. Patch from 'cypherpunks'. + diff --git a/src/or/buffers.c b/src/or/buffers.c index 9be0476f6..797643279 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -426,7 +426,7 @@ buf_pullup(buf_t *buf, size_t bytes, int nulterminate) size_t n = bytes - dest->datalen; src = dest->next; tor_assert(src); - if (n > src->datalen) { + if (n >= src->datalen) { memcpy(CHUNK_WRITE_PTR(dest), src->data, src->datalen); dest->datalen += src->datalen; dest->next = src->next; From 81a994ce77038721df3aa2f77b783db9a52da79e Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Tue, 3 Mar 2015 22:25:26 +0100 Subject: [PATCH 2/3] Make the assert related to 15083 a tiny bit more tolerant --- changes/bug15083 | 6 +++++- src/or/buffers.c | 9 ++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/changes/bug15083 b/changes/bug15083 index 98d1d0e53..2bd0715df 100644 --- a/changes/bug15083 +++ b/changes/bug15083 @@ -3,4 +3,8 @@ failure if a buffer of exactly the wrong layout was passed to buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on 0.2.0.10-alpha. Patch from 'cypherpunks'. - + + - Do not assert if the 'data' pointer on a buffer is advanced to the very + end of the buffer; log a BUG message instead. Only assert if it is + past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha. + diff --git a/src/or/buffers.c b/src/or/buffers.c index 797643279..9dfed007d 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -2483,7 +2483,14 @@ assert_buf_ok(buf_t *buf) total += ch->datalen; tor_assert(ch->datalen <= ch->memlen); tor_assert(ch->data >= &ch->mem[0]); - tor_assert(ch->data < &ch->mem[0]+ch->memlen); + tor_assert(ch->data <= &ch->mem[0]+ch->memlen); + if (ch->data == &ch->mem[0]+ch->memlen) { + static int warned = 0; + if (! warned) { + log_warn(LD_BUG, "Invariant violation in buf.c related to #15083"); + warned = 1; + } + } tor_assert(ch->data+ch->datalen <= &ch->mem[0] + ch->memlen); if (!ch->next) tor_assert(ch == buf->tail); From addffcc14ddf40b3cd1bff3fa86a82354e981a03 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 9 Mar 2015 11:07:50 -0400 Subject: [PATCH 3/3] Adjust changes header --- changes/bug15083 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changes/bug15083 b/changes/bug15083 index 2bd0715df..5cc79b5ba 100644 --- a/changes/bug15083 +++ b/changes/bug15083 @@ -1,4 +1,4 @@ - o Major bugfixes (relay, stability): + o Major bugfixes (relay, stability, possible security): - Fix a bug that could lead to a relay crashing with an assertion failure if a buffer of exactly the wrong layout was passed to buf_pullup() at exactly the wrong time. Fixes bug 15083;