diff options
author | Nick Mathewson <nickm@torproject.org> | 2017-02-27 09:12:51 -0500 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2017-02-27 10:01:27 -0500 |
commit | 074f24846321b8d08a8f67c37d72018842274c4e (patch) | |
tree | 738064057ee879a8587bc8d31f2864dfbae0463f /src | |
parent | ee5471f9aab55269c8c480f1f90dfeb08803ac15 (diff) | |
download | tor-074f24846321b8d08a8f67c37d72018842274c4e.tar.gz tor-074f24846321b8d08a8f67c37d72018842274c4e.zip |
Add one other BUG check to try to fix/solve 21369.
Teor thinks that this connection_dirserv_add_dir_bytes_to_outbuf()
might be the problem, if the "remaining" calculation underflows. So
I'm adding a couple of checks there, and improving the casts.
Diffstat (limited to 'src')
-rw-r--r-- | src/or/dirserv.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/src/or/dirserv.c b/src/or/dirserv.c index fa3938b5ec..fd9d0c768b 100644 --- a/src/or/dirserv.c +++ b/src/or/dirserv.c @@ -3629,8 +3629,14 @@ connection_dirserv_add_dir_bytes_to_outbuf(dir_connection_t *conn) if (bytes < 8192) bytes = 8192; remaining = conn->cached_dir->dir_z_len - conn->cached_dir_offset; - if (bytes > remaining) + if (BUG(remaining < 0)) { + remaining = 0; + } + if (bytes > remaining) { bytes = (ssize_t) remaining; + if (BUG(bytes < 0)) + return -1; + } if (conn->zlib_state) { connection_write_to_buf_zlib( @@ -3641,7 +3647,7 @@ connection_dirserv_add_dir_bytes_to_outbuf(dir_connection_t *conn) bytes, TO_CONN(conn)); } conn->cached_dir_offset += bytes; - if (conn->cached_dir_offset == (int)conn->cached_dir->dir_z_len) { + if (conn->cached_dir_offset >= (off_t)conn->cached_dir->dir_z_len) { /* We just wrote the last one; finish up. */ connection_dirserv_finish_spooling(conn); cached_dir_decref(conn->cached_dir); |