tor: torcontrol disconnect on too many lines to avoid OOM

This commit ensures the `TorControlConnection::m_message` buffer doesn't grow unbounded and exhaust memory, by limiting the number of lines handled by `TorControlConnection::ProcessBuffer()` to `MAX_LINE_COUNT = 1000`. Now the most memory that can be occupied by `m_message` is on the order of `MAX_LINE_LENGTH * MAX_LINE_COUNT= 100MB` Although this is not compliant with the tor control protocol in general, where commands like `GETINFO ns/all` will likely return thousands of lines, it is more than sufficient for handling the replies from the commands that are used by a node: `AUTHENTICATE`: 1 line: The server responds with 250 OK on success or 515 Bad authentication if the authentication cookie is incorrect. Tor closes the connection on an authentication failure. https://spec.torproject.org/control-spec/commands.html#authenticate `GETINFO net/listener/socks`: 2 lines A quoted, space-separated list of the locations where Tor is listening... https://spec.torproject.org/control-spec/commands.html#getinfo `AUTHCHALLENGE SAFECOOKIE`: 1 line If the server accepts the command, the server reply format is: ``` "250 AUTHCHALLENGE" SP "SERVERHASH=" ServerHash SP "SERVERNONCE=" ServerNonce CRLF ``` https://spec.torproject.org/control-spec/commands.html#authenticate `PROTOCOLINFO`: 4-5 lines The server reply format is: ``` 250-PROTOCOLINFO" SP PIVERSION CRLF \*InfoLine "250 OK" CRLF InfoLine = AuthLine / VersionLine / OtherLine ``` (https://spec.torproject.org/control-spec/commands.html#protocolinfo) `ADD_ONION`: 2-3 lines for Bitcoin Core's tor control client. The server reply format is: ``` "250-ServiceID=" ServiceID CRLF ["250-PrivateKey=" KeyType ":" KeyBlob CRLF] *("250-ClientAuth=" ClientName ":" ClientBlob CRLF) "250 OK" CRLF ``` ... The server response will only include a private key if the server was requested to generate a new keypair ... If client authorization is enabled using the “BasicAuth” flag (which is v2 only), the service will not be accessible to clients without valid authorization data (configured with the “HidServAuth” option). The list of authorized clients is specified with one or more “ClientAuth” parameters. If “ClientBlob” is not specified for a client, a new credential will be randomly generated and returned." https://spec.torproject.org/control-spec/commands.html#add_onion We don't set the `BasicAuth` flag, so the response will not include any `ClientAuthLines`.
2026-05-11 22:43:06 +02:00 · 2026-04-14 17:17:23 -07:00
parent 8b68287bf9
commit 9fe5896a44
2 changed files with 29 additions and 0 deletions
--- a/src/torcontrol.cpp
+++ b/src/torcontrol.cpp
@@ -63,6 +63,11 @@ constexpr std::chrono::duration<double> RECONNECT_TIMEOUT_MAX{600.0};
 * this is belt-and-suspenders sanity limit to prevent memory exhaustion.
 */
 constexpr int MAX_LINE_LENGTH = 100000;
+/** Maximum number of lines received on TorControlConnection per reply to avoid
+ * memory exhaustion. The largest expected now is 5 (PROTOCOLINFO), but future
+ * changes to this file might need to re-evaluate MAX_LINE_COUNT.
+ */
+constexpr int MAX_LINE_COUNT = 1000;
 /** Timeout for socket operations */
 constexpr auto SOCKET_SEND_TIMEOUT = 10s;

@@ -177,6 +182,9 @@ bool TorControlConnection::ProcessBuffer()
    auto start = reader.it;

    while (auto line = reader.ReadLine()) {
+        if (m_message.lines.size() == MAX_LINE_COUNT) {
+            throw std::runtime_error(strprintf("Control port reply exceeded %d lines, disconnecting", MAX_LINE_COUNT));
+        }
        // Skip short lines
        if (line->size() < 4) continue;

--- a/test/functional/feature_torcontrol.py
+++ b/test/functional/feature_torcontrol.py
@@ -237,11 +237,32 @@ class TorControlTest(BitcoinTestFramework):

        mock_tor.stop()

+    def test_overmany_lines(self):
+        mock_tor = MockTorControlServer(self.next_port(), manual_mode=True)
+        self.restart_with_mock(mock_tor)
+
+        MAX_LINE_COUNT = 1000
+
+        self.log.info("Test that Tor control does not disconnect on receiving MAX_LINE_COUNT lines.")
+        with self.expect_disconnect(False, mock_tor):
+            for _ in range(MAX_LINE_COUNT - 1):
+                mock_tor.send_raw("250-Continuing\r\n")
+            mock_tor.send_raw("250 OK\r\n")
+
+        self.log.info("Test that Tor control disconnects on receiving MAX_LINE_COUNT + 1 lines.")
+        with self.expect_disconnect(True, mock_tor):
+            for _ in range(MAX_LINE_COUNT + 1):
+                mock_tor.send_raw("250-Continuing\r\n")
+
+        mock_tor.stop()
+
    def run_test(self):
        self.test_basic()
        self.test_partial_data()
        self.test_pow_fallback()
        self.test_oversized_line()
+        self.test_overmany_lines()
+

 if __name__ == '__main__':
    TorControlTest(__file__).main()