summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2007-12-26 18:55:56 +0000
committerNick Mathewson <nickm@torproject.org>2007-12-26 18:55:56 +0000
commit80151b42df0011adf4c4798c51cb496c773d2e2b (patch)
tree3ed2240d18242ac4d6e98e699e1f81cf08baae70 /src
parent84b6e26c505678953baf727c5a03ea08d98efcb7 (diff)
downloadtor-80151b42df0011adf4c4798c51cb496c773d2e2b.tar.gz
tor-80151b42df0011adf4c4798c51cb496c773d2e2b.zip
r15717@tombo: nickm | 2007-12-26 13:55:53 -0500
Oops. flush_buf_tls can request more than the requested number of bytes. When that happens, do not let the size_t sz wrap around. svn:r12988
Diffstat (limited to 'src')
-rw-r--r--src/or/buffers.c16
1 files changed, 11 insertions, 5 deletions
diff --git a/src/or/buffers.c b/src/or/buffers.c
index e446064c97..bf57a7a87c 100644
--- a/src/or/buffers.c
+++ b/src/or/buffers.c
@@ -678,7 +678,10 @@ flush_chunk_tls(tor_tls_t *tls, buf_t *buf, chunk_t *chunk,
r = tor_tls_write(tls, chunk->data, sz);
if (r < 0)
return r;
- *buf_flushlen -= r;
+ if (*buf_flushlen > (size_t)r)
+ *buf_flushlen -= r;
+ else
+ *buf_flushlen = 0;
buf_remove_from_front(buf, r);
log_debug(LD_NET,"flushed %d bytes, %d ready to flush, %d remain.",
r,(int)*buf_flushlen,(int)buf->datalen);
@@ -721,25 +724,28 @@ flush_buf(int s, buf_t *buf, size_t sz, size_t *buf_flushlen)
}
/** As flush_buf(), but writes data to a TLS connection.
+ * DOCDOC can write more than flushlen bytes.
*/
int
-flush_buf_tls(tor_tls_t *tls, buf_t *buf, size_t sz, size_t *buf_flushlen)
+flush_buf_tls(tor_tls_t *tls, buf_t *buf, size_t flushlen, size_t *buf_flushlen)
{
int r;
size_t flushed = 0;
+ ssize_t sz;
tor_assert(buf_flushlen);
tor_assert(*buf_flushlen <= buf->datalen);
- tor_assert(sz <= *buf_flushlen);
+ tor_assert(flushlen <= *buf_flushlen);
+ sz = (ssize_t) flushlen;
/* we want to let tls write even if flushlen is zero, because it might
* have a partial record pending */
check_no_tls_errors();
check();
- while (sz) {
+ while (sz >= 0) {
size_t flushlen0;
if (buf->head) {
- if (buf->head->datalen >= sz)
+ if ((ssize_t)buf->head->datalen >= sz)
flushlen0 = sz;
else
flushlen0 = buf->head->datalen;