diff options
author | Nick Mathewson <nickm@torproject.org> | 2015-01-05 09:32:53 -0500 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2015-01-05 09:32:53 -0500 |
commit | 841ecbd96105c84ac2e7c9594aeadbcc6fb38bc4 (patch) | |
tree | fde7aeb81adb945422988b560753222ae4fa1315 /evbuffer-internal.h | |
parent | 0eb391941bed827d78a0bf27d7baf887ef91211b (diff) | |
download | libevent-841ecbd96105c84ac2e7c9594aeadbcc6fb38bc4.tar.gz |
Fix CVE-2014-6272 in Libevent 2.1
For this fix, we need to make sure that passing too-large inputs to
the evbuffer functions can't make us do bad things with the heap.
Also, lower the maximum chunk size to the lower of off_t, size_t maximum.
This is necessary since otherwise we could get into an infinite loop
if we make a chunk that 'misalign' cannot index into.
Diffstat (limited to 'evbuffer-internal.h')
-rw-r--r-- | evbuffer-internal.h | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/evbuffer-internal.h b/evbuffer-internal.h index fb67ec09..cf4bddc8 100644 --- a/evbuffer-internal.h +++ b/evbuffer-internal.h @@ -155,6 +155,18 @@ struct evbuffer { struct bufferevent *parent; }; +#if EVENT__SIZEOF_OFF_T < EVENT__SIZEOF_SIZE_T +typedef ev_ssize_t ev_misalign_t; +#define EVBUFFER_CHAIN_MAX ((size_t)EV_SSIZE_MAX) +#else +typedef ev_off_t ev_misalign_t; +#if EVENT__SIZEOF_OFF_T > EVENT__SIZEOF_SIZE_T +#define EVBUFFER_CHAIN_MAX EV_SIZE_MAX +#else +#define EVBUFFER_CHAIN_MAX ((size_t)EV_SSIZE_MAX) +#endif +#endif + /** A single item in an evbuffer. */ struct evbuffer_chain { /** points to next buffer in the chain */ @@ -165,7 +177,7 @@ struct evbuffer_chain { /** unused space at the beginning of buffer or an offset into a * file for sendfile buffers. */ - ev_off_t misalign; + ev_misalign_t misalign; /** Offset into buffer + misalign at which to start writing. * In other words, the total number of bytes actually stored |