diff options
author | Nick Mathewson <nickm@torproject.org> | 2015-03-09 11:09:49 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2015-03-09 11:09:49 -0400 |
commit | a7f75b2056b8bdf59d064268c53a10ac46972380 (patch) | |
tree | 12180af553638301b7a98b9015acdcb47924aa87 | |
parent | de2c5ad8150a9c111dd8f1dcfed1ceea132578f9 (diff) | |
parent | 1a7419c3df300483f111923daca43febc33b368b (diff) | |
download | tor-a7f75b2056b8bdf59d064268c53a10ac46972380.tar.gz tor-a7f75b2056b8bdf59d064268c53a10ac46972380.zip |
Merge remote-tracking branch 'origin/maint-0.2.5' into maint-0.2.6
-rw-r--r-- | changes/bug15083 | 10 | ||||
-rw-r--r-- | src/or/buffers.c | 11 |
2 files changed, 19 insertions, 2 deletions
diff --git a/changes/bug15083 b/changes/bug15083 new file mode 100644 index 0000000000..5cc79b5ba1 --- /dev/null +++ b/changes/bug15083 @@ -0,0 +1,10 @@ + o Major bugfixes (relay, stability, possible security): + - Fix a bug that could lead to a relay crashing with an assertion + failure if a buffer of exactly the wrong layout was passed + to buf_pullup() at exactly the wrong time. Fixes bug 15083; + bugfix on 0.2.0.10-alpha. Patch from 'cypherpunks'. + + - Do not assert if the 'data' pointer on a buffer is advanced to the very + end of the buffer; log a BUG message instead. Only assert if it is + past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha. + diff --git a/src/or/buffers.c b/src/or/buffers.c index 9f5dc70ed5..be9974418d 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -232,7 +232,7 @@ buf_pullup(buf_t *buf, size_t bytes, int nulterminate) size_t n = bytes - dest->datalen; src = dest->next; tor_assert(src); - if (n > src->datalen) { + if (n >= src->datalen) { memcpy(CHUNK_WRITE_PTR(dest), src->data, src->datalen); dest->datalen += src->datalen; dest->next = src->next; @@ -2436,7 +2436,14 @@ assert_buf_ok(buf_t *buf) total += ch->datalen; tor_assert(ch->datalen <= ch->memlen); tor_assert(ch->data >= &ch->mem[0]); - tor_assert(ch->data < &ch->mem[0]+ch->memlen); + tor_assert(ch->data <= &ch->mem[0]+ch->memlen); + if (ch->data == &ch->mem[0]+ch->memlen) { + static int warned = 0; + if (! warned) { + log_warn(LD_BUG, "Invariant violation in buf.c related to #15083"); + warned = 1; + } + } tor_assert(ch->data+ch->datalen <= &ch->mem[0] + ch->memlen); if (!ch->next) tor_assert(ch == buf->tail); |