summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2020-07-30 14:24:25 -0400
committerNick Mathewson <nickm@torproject.org>2020-07-30 14:24:25 -0400
commitc4742b89b23d58958ee0d5ca324dac5948c94bf6 (patch)
treef403e603d110b8a2f986051d45f240c17eb43e8a
parent0a588821cb5540e901a3d5b07ac73a20905a2c64 (diff)
downloadtor-c4742b89b23d58958ee0d5ca324dac5948c94bf6.tar.gz
tor-c4742b89b23d58958ee0d5ca324dac5948c94bf6.zip
Fix a bug in buf_move_all() when the input buffer is empty.
We found this in #40076, after we started using buf_move_all() in more places. Fixes bug #40076; bugfix on 0.3.3.1-alpha. As far as I know, the crash only affects master, but I think this warrants a backport, "just in case".
-rw-r--r--changes/bug400765
-rw-r--r--src/lib/container/buffers.c2
-rw-r--r--src/test/test_buffers.c2
3 files changed, 7 insertions, 2 deletions
diff --git a/changes/bug40076 b/changes/bug40076
new file mode 100644
index 0000000000..9ef5969ae8
--- /dev/null
+++ b/changes/bug40076
@@ -0,0 +1,5 @@
+ o Minor bugfixes (correctness, buffers):
+ - Fix a correctness bug that could cause an assertion failure if we ever
+ tried using the buf_move_all() function with an empty input.
+ As far as we know, no released versions of Tor do this.
+ Fixes bug 40076; bugfix on 0.3.3.1-alpha.
diff --git a/src/lib/container/buffers.c b/src/lib/container/buffers.c
index 67887f2f30..fe4cf7c385 100644
--- a/src/lib/container/buffers.c
+++ b/src/lib/container/buffers.c
@@ -689,6 +689,8 @@ buf_move_all(buf_t *buf_out, buf_t *buf_in)
tor_assert(buf_out);
if (!buf_in)
return;
+ if (buf_datalen(buf_in) == 0)
+ return;
if (BUG(buf_out->datalen >= INT_MAX || buf_in->datalen >= INT_MAX))
return;
if (BUG(buf_out->datalen >= INT_MAX - buf_in->datalen))
diff --git a/src/test/test_buffers.c b/src/test/test_buffers.c
index 67a49a5017..3e7364a5c8 100644
--- a/src/test/test_buffers.c
+++ b/src/test/test_buffers.c
@@ -310,7 +310,6 @@ test_buffers_move_all(void *arg)
buf_t *output = buf_new();
char *s = NULL;
-#if 0
/* Move from empty buffer to nonempty buffer. (This is a regression test for
* #40076) */
buf_add(output, "abc", 3);
@@ -329,7 +328,6 @@ test_buffers_move_all(void *arg)
/* Move from empty to empty. */
output = buf_new();
input = buf_new();
-#endif
buf_move_all(output, input);
buf_assert_ok(input);
buf_assert_ok(output);