Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge branch 'maint-0.2.6' into maint-0.2.7

Nick Mathewson 8 years ago
parent
a9c8a5ff18 b6227edae1
commit
2673b4b7a8
2 changed files with 43 additions and 8 deletions
Split View Show Diff Stats
  1. 11 0
      changes/buf-sentinel
  2. 32 8
      src/or/buffers.c

+ 11 - 0
changes/buf-sentinel
View File 

@@ -0,0 +1,11 @@
 
+  o Major features (security fixes):
 
+
 
+    - Prevent a class of security bugs caused by treating the contents
 
+      of a buffer chunk as if they were a NUL-terminated string.  At
 
+      least one such bug seems to be present in all currently used
 
+      versions of Tor, and would allow an attacker to remotely crash
 
+      most Tor instances, especially those compiled with extra compiler
 
+      hardening. With this defense in place, such bugs can't crash Tor,
 
+      though we should still fix them as they occur. Closes ticket 20384
 
+      (TROVE-2016-10-001).
 
+

+ 32 - 8
src/or/buffers.c
View File 

@@ -69,12 +69,33 @@ static int parse_socks_client(const uint8_t *data, size_t datalen,
 
 
 #define CHUNK_HEADER_LEN STRUCT_OFFSET(chunk_t, mem[0])
 
 
+/* We leave this many NUL bytes at the end of the buffer. */
 
+#define SENTINEL_LEN 4
 
+
 
+/* Header size plus NUL bytes at the end */
 
+#define CHUNK_OVERHEAD (CHUNK_HEADER_LEN + SENTINEL_LEN)
 
+
 
 /** Return the number of bytes needed to allocate a chunk to hold
 
  * <b>memlen</b> bytes. */
 
-#define CHUNK_ALLOC_SIZE(memlen) (CHUNK_HEADER_LEN + (memlen))
 
+#define CHUNK_ALLOC_SIZE(memlen) (CHUNK_OVERHEAD + (memlen))
 
 /** Return the number of usable bytes in a chunk allocated with
 
  * malloc(<b>memlen</b>). */
 
-#define CHUNK_SIZE_WITH_ALLOC(memlen) ((memlen) - CHUNK_HEADER_LEN)
 
+#define CHUNK_SIZE_WITH_ALLOC(memlen) ((memlen) - CHUNK_OVERHEAD)
 
+
 
+#define DEBUG_SENTINEL
 
+
 
+#ifdef DEBUG_SENTINEL
 
+#define DBG_S(s) s
 
+#else
 
+#define DBG_S(s) (void)0
 
+#endif
 
+
 
+#define CHUNK_SET_SENTINEL(chunk, alloclen) do {                        \
 
+    uint8_t *a = (uint8_t*) &(chunk)->mem[(chunk)->memlen];             \
 
+    DBG_S(uint8_t *b = &((uint8_t*)(chunk))[(alloclen)-SENTINEL_LEN]);  \
 
+    DBG_S(tor_assert(a == b));                                          \
 
+    memset(a,0,SENTINEL_LEN);                                           \
 
+  } while (0)
 
 
 /** Return the next character in <b>chunk</b> onto which data can be appended.
 
  * If the chunk is full, this might be off the end of chunk->mem. */
 
@@ -131,6 +152,7 @@ chunk_new_with_alloc_size(size_t alloc)
 
   ch->memlen = CHUNK_SIZE_WITH_ALLOC(alloc);
 
   total_bytes_allocated_in_chunks += alloc;
 
   ch->data = &ch->mem[0];
 
+  CHUNK_SET_SENTINEL(ch, alloc);
 
   return ch;
 
 }
 
 
@@ -140,18 +162,20 @@ static INLINE chunk_t *
 
 chunk_grow(chunk_t *chunk, size_t sz)
 
 {
 
   off_t offset;
 
-  size_t memlen_orig = chunk->memlen;
 
+  const size_t memlen_orig = chunk->memlen;
 
+  const size_t orig_alloc = CHUNK_ALLOC_SIZE(memlen_orig);
 
+  const size_t new_alloc = CHUNK_ALLOC_SIZE(sz);
 
   tor_assert(sz > chunk->memlen);
 
   offset = chunk->data - chunk->mem;
 
-  chunk = tor_realloc(chunk, CHUNK_ALLOC_SIZE(sz));
 
+  chunk = tor_realloc(chunk, new_alloc);
 
   chunk->memlen = sz;
 
   chunk->data = chunk->mem + offset;
 
 #ifdef DEBUG_CHUNK_ALLOC
 
-  tor_assert(chunk->DBG_alloc == CHUNK_ALLOC_SIZE(memlen_orig));
 
-  chunk->DBG_alloc = CHUNK_ALLOC_SIZE(sz);
 
+  tor_assert(chunk->DBG_alloc == orig_alloc);
 
+  chunk->DBG_alloc = new_alloc;
 
 #endif
 
-  total_bytes_allocated_in_chunks +=
 
-    CHUNK_ALLOC_SIZE(sz) - CHUNK_ALLOC_SIZE(memlen_orig);
 
+  total_bytes_allocated_in_chunks += new_alloc - orig_alloc;
 
+  CHUNK_SET_SENTINEL(chunk, new_alloc);
 
   return chunk;
 
 }