summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2015-03-09 13:37:22 -0400
committerNick Mathewson <nickm@torproject.org>2015-03-09 13:37:22 -0400
commitb70a0a01ec99064e23ccf56c7ff6d0bec397b2f7 (patch)
tree1a750a6350fd9d91081b7a7b58a675c0c1279a24
parentdc06c071a4629f15f5956668f10f3a10ef536dfb (diff)
parent6704e18dd2e09111eeca0c76fb00a459f9da98ea (diff)
downloadtor-b70a0a01ec99064e23ccf56c7ff6d0bec397b2f7.tar.gz
tor-b70a0a01ec99064e23ccf56c7ff6d0bec397b2f7.zip
Merge branch 'maint-0.2.4' into release-0.2.4
Diffstat
-rw-r--r--changes/bug1508310
-rw-r--r--src/or/buffers.c11
2 files changed, 19 insertions, 2 deletions
diff --git a/changes/bug15083 b/changes/bug15083
new file mode 100644
index 0000000000..5cc79b5ba1
--- /dev/null
+++ b/changes/bug15083
@@ -0,0 +1,10 @@
+ o Major bugfixes (relay, stability, possible security):
+ - Fix a bug that could lead to a relay crashing with an assertion
+ failure if a buffer of exactly the wrong layout was passed
+ to buf_pullup() at exactly the wrong time. Fixes bug 15083;
+ bugfix on 0.2.0.10-alpha. Patch from 'cypherpunks'.
+
+ - Do not assert if the 'data' pointer on a buffer is advanced to the very
+ end of the buffer; log a BUG message instead. Only assert if it is
+ past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha.
+
diff --git a/src/or/buffers.c b/src/or/buffers.c
index c4c847ec87..ab3346d9b7 100644
--- a/src/or/buffers.c
+++ b/src/or/buffers.c
@@ -425,7 +425,7 @@ buf_pullup(buf_t *buf, size_t bytes, int nulterminate)
size_t n = bytes - dest->datalen;
src = dest->next;
tor_assert(src);
- if (n > src->datalen) {
+ if (n >= src->datalen) {
memcpy(CHUNK_WRITE_PTR(dest), src->data, src->datalen);
dest->datalen += src->datalen;
dest->next = src->next;
@@ -2494,7 +2494,14 @@ assert_buf_ok(buf_t *buf)
total += ch->datalen;
tor_assert(ch->datalen <= ch->memlen);
tor_assert(ch->data >= &ch->mem[0]);
- tor_assert(ch->data < &ch->mem[0]+ch->memlen);
+ tor_assert(ch->data <= &ch->mem[0]+ch->memlen);
+ if (ch->data == &ch->mem[0]+ch->memlen) {
+ static int warned = 0;
+ if (! warned) {
+ log_warn(LD_BUG, "Invariant violation in buf.c related to #15083");
+ warned = 1;
+ }
+ }
tor_assert(ch->data+ch->datalen <= &ch->mem[0] + ch->memlen);
if (!ch->next)
tor_assert(ch == buf->tail);
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion