point out some bugs for nick, noticed by whiteout

svn:r4574
author: Roger Dingledine <arma@torproject.org> 2005-07-15 18:48:38 +0000
committer: Roger Dingledine <arma@torproject.org> 2005-07-15 18:48:38 +0000
commit: 83dc42055d851e24bc21ae3fe951943724dc252d (patch)
tree: f64c42f9548b61b2602c627f3e2d1766e0291145 /src
parent: 6cb32f0c9d2fdeebf74f626eb430bc2b9661cf8f (diff)
download: tor-83dc42055d851e24bc21ae3fe951943724dc252d.tar.gz
tor-83dc42055d851e24bc21ae3fe951943724dc252d.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/src/or/control.c b/src/or/control.c
index 1e776fb817..b01a0093c9 100644
--- a/src/or/control.c
+++ b/src/or/control.c
@@ -315,11 +315,12 @@ read_escaped_data(const char *data, size_t len, int translate_newlines,
 
   *out = outp = tor_malloc(len);
 
-  while (len) {
+  while (len) { /* XXX: len never changes during the loop? */
     if (*data == '.')
       ++data;
     if (translate_newlines)
       next = tor_memmem(data, len, "\r\n", 2);
+      /* XXX: as data increases, we're reading past our allowed buffer! */
     else
       next = tor_memmem(data, len, "\r\n.", 3);
     if (next) {
@@ -327,7 +328,7 @@ read_escaped_data(const char *data, size_t len, int translate_newlines,
       outp += (next-data);
       data = next+2;
     } else {
-      memcpy(outp, data, len);
+      memcpy(outp, data, len); /* len is constant. scribbling from past *out. */
       outp += len;
       return outp - *out;
     }
author	Roger Dingledine <arma@torproject.org>	2005-07-15 18:48:38 +0000
committer	Roger Dingledine <arma@torproject.org>	2005-07-15 18:48:38 +0000
commit	83dc42055d851e24bc21ae3fe951943724dc252d (patch)
tree	f64c42f9548b61b2602c627f3e2d1766e0291145 /src
parent	6cb32f0c9d2fdeebf74f626eb430bc2b9661cf8f (diff)
download	tor-83dc42055d851e24bc21ae3fe951943724dc252d.tar.gz tor-83dc42055d851e24bc21ae3fe951943724dc252d.zip