Merge branch 'bug8844_v2' into maint-0.2.3

96d32191 · Nick Mathewson · 39ac1db6 · 00e2310f · 96d32191 · 96d32191
Commit 96d32191 authored 11 years ago by Nick Mathewson
--- a/changes/bug8844
+++ b/changes/bug8844
+  o Major bugfixes:
+    - Prevent the get_freelists() function from running off the end of
+      the list of freelists if it somehow gets an unrecognized
+      allocation. Fixes bug 8844; bugfix on 0.2.0.16-alpha. Reported by
+      eugenis.
+
--- a/src/or/buffers.c
+++ b/src/or/buffers.c
@@ -147,7 +147,8 @@ static INLINE chunk_freelist_t *
 get_freelist(size_t alloc)
 {
  int i;
-  for (i=0; freelists[i].alloc_size <= alloc; ++i) {
+  for (i=0; (freelists[i].alloc_size <= alloc &&
+             freelists[i].alloc_size); ++i ) {
    if (freelists[i].alloc_size == alloc) {
      return &freelists[i];
    }

--- a/src/test/test.c
+++ b/src/test/test.c
@@ -802,6 +802,18 @@ test_buffers(void)
  buf_free(buf);
  buf = NULL;

+  /* Try adding a string too long for any freelist. */
+  {
+    char *cp = tor_malloc_zero(65536);
+    buf = buf_new();
+    write_to_buf(cp, 65536, buf);
+    tor_free(cp);
+
+    tt_int_op(buf_datalen(buf), ==, 65536);
+    buf_free(buf);
+    buf = NULL;
+  }
+
 done:
  if (buf)
    buf_free(buf);