[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] [tor/maint-0.2.2] Fix a harmless off-by-one error in counting controller argument lengths



Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date: Thu, 2 Dec 2010 13:19:21 -0500
Subject: Fix a harmless off-by-one error in counting controller argument lengths
Commit: ee8f451bf1a8a0d01bb990ddf96f810a254394eb

Bugfix on 0.1.1.1-alpha; found by boboper.
---
 changes/bytecount |    5 +++++
 src/or/control.c  |    3 ++-
 2 files changed, 7 insertions(+), 1 deletions(-)
 create mode 100644 changes/bytecount

diff --git a/changes/bytecount b/changes/bytecount
new file mode 100644
index 0000000..50c4d6b
--- /dev/null
+++ b/changes/bytecount
@@ -0,0 +1,5 @@
+  o Minor bugfixes
+    - Fix a off-by-one error in calculating some controller command argument
+      lengths.  Fortunately, this is harmless, the controller code does
+      redundant NUL termination too.  Found by boboper.  Bugfix on
+      0.1.1.1-alpha.
diff --git a/src/or/control.c b/src/or/control.c
index 4d505a9..ad316c4 100644
--- a/src/or/control.c
+++ b/src/or/control.c
@@ -2855,9 +2855,10 @@ connection_control_process_inbuf(control_connection_t *conn)
          && !TOR_ISSPACE(conn->incoming_cmd[cmd_len]))
     ++cmd_len;
 
-  data_len -= cmd_len;
   conn->incoming_cmd[cmd_len]='\0';
   args = conn->incoming_cmd+cmd_len+1;
+  tor_assert(data_len>(size_t)cmd_len);
+  data_len -= (cmd_len+1); /* skip the command and NUL we added after it */
   while (*args == ' ' || *args == '\t') {
     ++args;
     --data_len;
-- 
1.7.1