[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] r12988: Oops. flush_buf_tls can request more than the requested numb (in tor/trunk: . src/or)



Author: nickm
Date: 2007-12-26 13:55:56 -0500 (Wed, 26 Dec 2007)
New Revision: 12988

Modified:
   tor/trunk/
   tor/trunk/src/or/buffers.c
Log:
 r15717@tombo:  nickm | 2007-12-26 13:55:53 -0500
 Oops.  flush_buf_tls can request more than the requested number of bytes.  When that happens, do not let the size_t sz wrap around.



Property changes on: tor/trunk
___________________________________________________________________
 svk:merge ticket from /tor/trunk [r15717] on d9e39d38-0f13-419c-a857-e10a0ce2aa0c

Modified: tor/trunk/src/or/buffers.c
===================================================================
--- tor/trunk/src/or/buffers.c	2007-12-26 18:09:36 UTC (rev 12987)
+++ tor/trunk/src/or/buffers.c	2007-12-26 18:55:56 UTC (rev 12988)
@@ -678,7 +678,10 @@
   r = tor_tls_write(tls, chunk->data, sz);
   if (r < 0)
     return r;
-  *buf_flushlen -= r;
+  if (*buf_flushlen > (size_t)r)
+    *buf_flushlen -= r;
+  else
+    *buf_flushlen = 0;
   buf_remove_from_front(buf, r);
   log_debug(LD_NET,"flushed %d bytes, %d ready to flush, %d remain.",
             r,(int)*buf_flushlen,(int)buf->datalen);
@@ -721,25 +724,28 @@
 }
 
 /** As flush_buf(), but writes data to a TLS connection.
+ * DOCDOC can write more than flushlen bytes.
  */
 int
-flush_buf_tls(tor_tls_t *tls, buf_t *buf, size_t sz, size_t *buf_flushlen)
+flush_buf_tls(tor_tls_t *tls, buf_t *buf, size_t flushlen, size_t *buf_flushlen)
 {
   int r;
   size_t flushed = 0;
+  ssize_t sz;
   tor_assert(buf_flushlen);
   tor_assert(*buf_flushlen <= buf->datalen);
-  tor_assert(sz <= *buf_flushlen);
+  tor_assert(flushlen <= *buf_flushlen);
+  sz = (ssize_t) flushlen;
 
   /* we want to let tls write even if flushlen is zero, because it might
    * have a partial record pending */
   check_no_tls_errors();
 
   check();
-  while (sz) {
+  while (sz >= 0) {
     size_t flushlen0;
     if (buf->head) {
-      if (buf->head->datalen >= sz)
+      if ((ssize_t)buf->head->datalen >= sz)
         flushlen0 = sz;
       else
         flushlen0 = buf->head->datalen;