sarah
/
tor
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'maint-0.2.4' into release-0.2.4

This commit is contained in:
Nick Mathewson 2015-03-09 13:37:22 -04:00
parent dc06c071a4 6704e18dd2
commit b70a0a01ec
2 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
changes/bug15083 Normal file
View File

@ -0,0 +1,10 @@
o Major bugfixes (relay, stability, possible security):
- Fix a bug that could lead to a relay crashing with an assertion
failure if a buffer of exactly the wrong layout was passed
to buf_pullup() at exactly the wrong time. Fixes bug 15083;
bugfix on 0.2.0.10-alpha. Patch from 'cypherpunks'.
- Do not assert if the 'data' pointer on a buffer is advanced to the very
end of the buffer; log a BUG message instead. Only assert if it is
past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha.

11
src/or/buffers.c
View File

@ -425,7 +425,7 @@ buf_pullup(buf_t *buf, size_t bytes, int nulterminate)
size_t n = bytes - dest->datalen;
src = dest->next;
tor_assert(src);
if (n > src->datalen) {
if (n >= src->datalen) {
memcpy(CHUNK_WRITE_PTR(dest), src->data, src->datalen);
dest->datalen += src->datalen;
dest->next = src->next;
@ -2494,7 +2494,14 @@ assert_buf_ok(buf_t *buf)
total += ch->datalen;
tor_assert(ch->datalen <= ch->memlen);
tor_assert(ch->data >= &ch->mem[0]);
tor_assert(ch->data < &ch->mem[0]+ch->memlen);
tor_assert(ch->data <= &ch->mem[0]+ch->memlen);
if (ch->data == &ch->mem[0]+ch->memlen) {
static int warned = 0;
if (! warned) {
log_warn(LD_BUG, "Invariant violation in buf.c related to #15083");
warned = 1;
}
}
tor_assert(ch->data+ch->datalen <= &ch->mem[0] + ch->memlen);
if (!ch->next)
tor_assert(ch == buf->tail);