Loading changes/buffer_bug 0 → 100644 +7 −0 Original line number Diff line number Diff line o Major bugfixes: - Fix a heap overflow bug that could occur when trying to pull data into the first chunk of a buffer, when that chunk had already had some data drained from it. Fixes CVE-2011-2778; bugfix on 0.2.0.16-alpha. Reported by "Vektor". src/or/buffers.c +3 −2 Original line number Diff line number Diff line Loading @@ -401,9 +401,10 @@ buf_pullup(buf_t *buf, size_t bytes, int nulterminate) if (buf->head->memlen >= capacity) { /* We don't need to grow the first chunk, but we might need to repack it.*/ if (CHUNK_REMAINING_CAPACITY(buf->head) < capacity-buf->datalen) size_t needed = capacity - buf->head->datalen; if (CHUNK_REMAINING_CAPACITY(buf->head) < needed) chunk_repack(buf->head); tor_assert(CHUNK_REMAINING_CAPACITY(buf->head) >= capacity-buf->datalen); tor_assert(CHUNK_REMAINING_CAPACITY(buf->head) >= needed); } else { chunk_t *newhead; size_t newsize; Loading Loading
changes/buffer_bug 0 → 100644 +7 −0 Original line number Diff line number Diff line o Major bugfixes: - Fix a heap overflow bug that could occur when trying to pull data into the first chunk of a buffer, when that chunk had already had some data drained from it. Fixes CVE-2011-2778; bugfix on 0.2.0.16-alpha. Reported by "Vektor".
src/or/buffers.c +3 −2 Original line number Diff line number Diff line Loading @@ -401,9 +401,10 @@ buf_pullup(buf_t *buf, size_t bytes, int nulterminate) if (buf->head->memlen >= capacity) { /* We don't need to grow the first chunk, but we might need to repack it.*/ if (CHUNK_REMAINING_CAPACITY(buf->head) < capacity-buf->datalen) size_t needed = capacity - buf->head->datalen; if (CHUNK_REMAINING_CAPACITY(buf->head) < needed) chunk_repack(buf->head); tor_assert(CHUNK_REMAINING_CAPACITY(buf->head) >= capacity-buf->datalen); tor_assert(CHUNK_REMAINING_CAPACITY(buf->head) >= needed); } else { chunk_t *newhead; size_t newsize; Loading
