Loading changes/bug15083 0 → 100644 +10 −0 Original line number Diff line number Diff line o Major bugfixes (relay, stability, possible security): - Fix a bug that could lead to a relay crashing with an assertion failure if a buffer of exactly the wrong layout was passed to buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on 0.2.0.10-alpha. Patch from 'cypherpunks'. - Do not assert if the 'data' pointer on a buffer is advanced to the very end of the buffer; log a BUG message instead. Only assert if it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha. src/or/buffers.c +9 −2 Original line number Diff line number Diff line Loading @@ -447,7 +447,7 @@ buf_pullup(buf_t *buf, size_t bytes, int nulterminate) size_t n = bytes - dest->datalen; src = dest->next; tor_assert(src); if (n > src->datalen) { if (n >= src->datalen) { memcpy(CHUNK_WRITE_PTR(dest), src->data, src->datalen); dest->datalen += src->datalen; dest->next = src->next; Loading Loading @@ -2624,7 +2624,14 @@ assert_buf_ok(buf_t *buf) total += ch->datalen; tor_assert(ch->datalen <= ch->memlen); tor_assert(ch->data >= &ch->mem[0]); tor_assert(ch->data < &ch->mem[0]+ch->memlen); tor_assert(ch->data <= &ch->mem[0]+ch->memlen); if (ch->data == &ch->mem[0]+ch->memlen) { static int warned = 0; if (! warned) { log_warn(LD_BUG, "Invariant violation in buf.c related to #15083"); warned = 1; } } tor_assert(ch->data+ch->datalen <= &ch->mem[0] + ch->memlen); if (!ch->next) tor_assert(ch == buf->tail); Loading Loading
changes/bug15083 0 → 100644 +10 −0 Original line number Diff line number Diff line o Major bugfixes (relay, stability, possible security): - Fix a bug that could lead to a relay crashing with an assertion failure if a buffer of exactly the wrong layout was passed to buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on 0.2.0.10-alpha. Patch from 'cypherpunks'. - Do not assert if the 'data' pointer on a buffer is advanced to the very end of the buffer; log a BUG message instead. Only assert if it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha.
src/or/buffers.c +9 −2 Original line number Diff line number Diff line Loading @@ -447,7 +447,7 @@ buf_pullup(buf_t *buf, size_t bytes, int nulterminate) size_t n = bytes - dest->datalen; src = dest->next; tor_assert(src); if (n > src->datalen) { if (n >= src->datalen) { memcpy(CHUNK_WRITE_PTR(dest), src->data, src->datalen); dest->datalen += src->datalen; dest->next = src->next; Loading Loading @@ -2624,7 +2624,14 @@ assert_buf_ok(buf_t *buf) total += ch->datalen; tor_assert(ch->datalen <= ch->memlen); tor_assert(ch->data >= &ch->mem[0]); tor_assert(ch->data < &ch->mem[0]+ch->memlen); tor_assert(ch->data <= &ch->mem[0]+ch->memlen); if (ch->data == &ch->mem[0]+ch->memlen) { static int warned = 0; if (! warned) { log_warn(LD_BUG, "Invariant violation in buf.c related to #15083"); warned = 1; } } tor_assert(ch->data+ch->datalen <= &ch->mem[0] + ch->memlen); if (!ch->next) tor_assert(ch == buf->tail); Loading
