From c5da750cf3d53277fe6d86776bfe0d2304b05151 Mon Sep 17 00:00:00 2001
From: "Neal H. Walfield" <neal@g10code.com>
Date: Mon, 17 Aug 2015 12:52:20 +0200
Subject: [PATCH] common/iobuf.c: Add some sanity checks to catch programmer
 bugs.

* common/iobuf.c (iobuf_alloc): Check that BUFSIZE is not 0.
(iobuf_readbyte): Check that A is an input filter.  Check that the
amount of read data is at most the amount of buffered data.
(iobuf_read): Check that A is an input filter.
(iobuf_writebyte): Check that A is not an input filter.
(iobuf_writestr): Check that A is not an input filter.
(iobuf_flush_temp): Check that A is not an input filter.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
---
 common/iobuf.c | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/common/iobuf.c b/common/iobuf.c
index 769926234..41b9d185d 100644
--- a/common/iobuf.c
+++ b/common/iobuf.c
@@ -1100,6 +1100,11 @@ iobuf_alloc (int use, size_t bufsize)
   static int number = 0;
 
   assert (use == IOBUF_INPUT || use == IOBUF_OUTPUT || use == IOBUF_TEMP);
+  if (bufsize == 0)
+    {
+      log_bug ("iobuf_alloc() passed a bufsize of 0!\n");
+      bufsize = IOBUF_BUFFER_SIZE;
+    }
 
   a = xcalloc (1, sizeof *a);
   a->use = use;
@@ -1935,6 +1940,14 @@ iobuf_readbyte (iobuf_t a)
 {
   int c;
 
+  if (a->use != IOBUF_INPUT)
+    {
+      log_bug ("iobuf_readbyte called on a non-INPUT pipeline!\n");
+      return -1;
+    }
+
+  assert (a->d.start <= a->d.len);
+
   if (a->nlimit && a->nbytes >= a->nlimit)
     return -1;			/* forced EOF */
 
@@ -1945,6 +1958,8 @@ iobuf_readbyte (iobuf_t a)
   else if ((c = underflow (a, 1)) == -1)
     return -1;			/* EOF */
 
+  assert (a->d.start <= a->d.len);
+
   /* Note: if underflow doesn't return EOF, then it returns the first
      byte that was read and advances a->d.start appropriately.  */
 
@@ -1959,6 +1974,13 @@ iobuf_read (iobuf_t a, void *buffer, unsigned int buflen)
   unsigned char *buf = (unsigned char *)buffer;
   int c, n;
 
+  if (a->use != IOBUF_INPUT)
+    {
+      log_bug ("iobuf_read called on a non-INPUT pipeline!\n");
+      return -1;
+    }
+  assert (a->use == IOBUF_INPUT);
+
   if (a->nlimit)
     {
       /* Handle special cases. */
@@ -2065,6 +2087,12 @@ iobuf_writebyte (iobuf_t a, unsigned int c)
 {
   int rc;
 
+  if (a->use == IOBUF_INPUT)
+    {
+      log_bug ("iobuf_writebyte called on an input pipeline!\n");
+      return -1;
+    }
+
   if (a->d.len == a->d.size)
     if ((rc=filter_flush (a)))
       return rc;
@@ -2081,6 +2109,12 @@ iobuf_write (iobuf_t a, const void *buffer, unsigned int buflen)
   const unsigned char *buf = (const unsigned char *)buffer;
   int rc;
 
+  if (a->use == IOBUF_INPUT)
+    {
+      log_bug ("iobuf_write called on an input pipeline!\n");
+      return -1;
+    }
+
   do
     {
       if (buflen && a->d.len < a->d.size)
@@ -2108,6 +2142,12 @@ iobuf_write (iobuf_t a, const void *buffer, unsigned int buflen)
 int
 iobuf_writestr (iobuf_t a, const char *buf)
 {
+  if (a->use == IOBUF_INPUT)
+    {
+      log_bug ("iobuf_writestr called on an input pipeline!\n");
+      return -1;
+    }
+
   return iobuf_write (a, buf, strlen (buf));
 }
 
@@ -2150,6 +2190,8 @@ iobuf_temp_to_buffer (iobuf_t a, byte * buffer, size_t buflen)
 void
 iobuf_flush_temp (iobuf_t temp)
 {
+  if (temp->use == IOBUF_INPUT)
+    log_bug ("iobuf_writestr called on an input pipeline!\n");
   while (temp->chain)
     pop_filter (temp, temp->filter, NULL);
 }