/** Allocate a new relay message and copy the content of the given message.
*
* This message allocation _will_ own its body, even if the original did not.
+ *
+ * Requires that msg is well-formed, and that its length is within
+ * allowable bounds.
**/
relay_msg_t *
relay_msg_copy(const relay_msg_t *msg)
{
+ tor_assert(msg->length <= RELAY_PAYLOAD_SIZE_MAX);
void *alloc = tor_malloc_zero(sizeof(relay_msg_t) + msg->length);
relay_msg_t *new_msg = alloc;
uint8_t *body = ((uint8_t*)alloc) + sizeof(relay_msg_t);
typedef struct relay_msg_t {
/* Relay command of a message. */
uint8_t command;
- /* Length of the message body. */
+ /* Length of the message body.
+ *
+ * This value MUST always be less than or equal to the lower of:
+ * - the number of bytes available in `body`.
+ * - relay_cell_max_format(_, command).
+ *
+ * (These bounds on the length field are guaranteed by all message decoding
+ * functions, and enforced by all message encoding functions.)
+ */
uint16_t length;
/* Optional routing header: stream ID of a message or 0. */
streamid_t stream_id;
/* Indicate if this is a message from a relay early cell. */
bool is_relay_early;
/* Message body of a relay message.
+ *
+ * Code MUST NOT access any part of `body` beyond the first `length` bytes.
*
* NOTE that this struct does not own the body; instead, this is a pointer
* into a different object. */
projects / thirdparty / tor.git / commitdiff
