fail to encode the lease count *before* changing anything

This preserves the failure behavior - `struct.error` is raised - but leaves the actual share file contents untouched if the new lease count cannot be encoded. There are still two separate write operations so it is conceivable that some other problem could cause `write_lease_record` to happen but `write_encoded_num_leases` not to happen. As far as I can tell we have severely limited options for addressing that problem in general as long as share files are backed by a POSIX filesystem. However, by removing the failure mode that depends on user input, it may be that this is all that is needed to close the *security* hole.
2025-02-22 10:20:59 +00:00 · 2021-10-18 10:50:28 -04:00 · 2021-10-18 10:50:28 -04:00 · df64bbb1e4
commit df64bbb1e4
parent f60bbbd3e2
1 changed files with 4 additions and 1 deletions
--- a/src/allmydata/storage/immutable.py
+++ b/src/allmydata/storage/immutable.py
@ -209,8 +209,11 @@ class ShareFile(object):
    def add_lease(self, lease_info):
        with open(self.home, 'rb+') as f:
            num_leases = self._read_num_leases(f)
+            # Before we write the new lease record, make sure we can encode
+            # the new lease count.
+            new_lease_count = struct.pack(self._lease_count_format, num_leases + 1)
            self._write_lease_record(f, num_leases, lease_info)
-            self._write_num_leases(f, num_leases+1)
+            self._write_encoded_num_leases(f, new_lease_count)

    def renew_lease(self, renew_secret, new_expire_time):
        for i,lease in enumerate(self.get_leases()):