diff options
| -rw-r--r-- | ChangeLog | 1 | ||||
| -rw-r--r-- | src/or/buffers.c | 14 | ||||
| -rw-r--r-- | src/or/test.c | 1 |
3 files changed, 12 insertions, 4 deletions
@@ -19,6 +19,7 @@ Changes in version 0.2.0.20-?? - 2008-02-?? 0.2.0.x - Fix code used to find strings within buffers, when those strings are not in the first chunk of the buffer. + - Fix potential segfault when parsing HTTP headers. Bugfix on 0.2.0.x. o Minor features (performance): - Tune parameters for cell pool allocation to minimize amount of diff --git a/src/or/buffers.c b/src/or/buffers.c index 8c5e2efca5..7a5fa6e946 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -1072,18 +1072,24 @@ static int buf_matches_at_pos(const buf_pos_t *pos, const char *s, size_t n) { buf_pos_t p; + if (!n) + return 1; + memcpy(&p, pos, sizeof(p)); - while (n) { + while (1) { char ch = p.chunk->data[p.pos]; if (ch != *s) return 0; ++s; - --n; + /* If we're out of characters that don't match, we match. Check this + * _before_ we test incrementing pos, in case we're at the end of the + * string. */ + if (--n == 0) + return 1; if (buf_pos_inc(&p)<0) return 0; } - return 1; } /** Return the first position in <b>buf</b> at which the <b>n</b>-character @@ -1137,7 +1143,6 @@ fetch_from_buf_http(buf_t *buf, if (!buf->head) return 0; - headers = buf->head->data; crlf_offset = buf_find_string_offset(buf, "\r\n\r\n", 4); if (crlf_offset > (int)max_headerlen || (crlf_offset < 0 && buf->datalen > max_headerlen)) { @@ -1153,6 +1158,7 @@ fetch_from_buf_http(buf_t *buf, buf_pullup(buf, crlf_offset+4, 0); headerlen = crlf_offset + 4; + headers = buf->head->data; bodylen = buf->datalen - headerlen; log_debug(LD_HTTP,"headerlen %d, bodylen %d.", (int)headerlen, (int)bodylen); diff --git a/src/or/test.c b/src/or/test.c index f68bc97efa..c18eccff66 100644 --- a/src/or/test.c +++ b/src/or/test.c @@ -267,6 +267,7 @@ test_buffers(void) test_eq(39, buf_find_string_offset(buf, "ing str", 7)); test_eq(35, buf_find_string_offset(buf, "Testing str", 11)); test_eq(32, buf_find_string_offset(buf, "ng ", 3)); + test_eq(43, buf_find_string_offset(buf, "string.", 7)); test_eq(-1, buf_find_string_offset(buf, "shrdlu", 6)); test_eq(-1, buf_find_string_offset(buf, "Testing thing", 13)); test_eq(-1, buf_find_string_offset(buf, "ngx", 3)); |