[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] r13635: Fix a bug that kept buf_find_string_offset from finding a st (in tor/trunk: . src/or)

Author: nickm
Date: 2008-02-20 21:10:38 -0500 (Wed, 20 Feb 2008)
New Revision: 13635

Modified:
   tor/trunk/
   tor/trunk/ChangeLog
   tor/trunk/src/or/buffers.c
   tor/trunk/src/or/test.c
Log:
 r18286@catbus:  nickm | 2008-02-20 21:10:33 -0500
 Fix a bug that kept buf_find_string_offset from finding a string at the very end of the buffer.  Add a unit test for this. Also, do not save a pointer to a chunk that might get reallocated by buf_pullup().



Property changes on: tor/trunk
___________________________________________________________________
 svk:merge ticket from /tor/trunk [r18286] on 8246c3cf-6607-4228-993b-4d95d33730f1

Modified: tor/trunk/ChangeLog
===================================================================
--- tor/trunk/ChangeLog	2008-02-20 23:58:48 UTC (rev 13634)
+++ tor/trunk/ChangeLog	2008-02-21 02:10:38 UTC (rev 13635)
@@ -19,6 +19,7 @@
       0.2.0.x
     - Fix code used to find strings within buffers, when those strings
       are not in the first chunk of the buffer.
+    - Fix potential segfault when parsing HTTP headers. Bugfix on 0.2.0.x.
 
   o Minor features (performance):
     - Tune parameters for cell pool allocation to minimize amount of

Modified: tor/trunk/src/or/buffers.c
===================================================================
--- tor/trunk/src/or/buffers.c	2008-02-20 23:58:48 UTC (rev 13634)
+++ tor/trunk/src/or/buffers.c	2008-02-21 02:10:38 UTC (rev 13635)
@@ -1072,18 +1072,24 @@
 buf_matches_at_pos(const buf_pos_t *pos, const char *s, size_t n)
 {
   buf_pos_t p;
+  if (!n)
+    return 1;
+
   memcpy(&p, pos, sizeof(p));
 
-  while (n) {
+  while (1) {
     char ch = p.chunk->data[p.pos];
     if (ch != *s)
       return 0;
     ++s;
-    --n;
+    /* If we're out of characters that don't match, we match.  Check this
+     * _before_ we test incrementing pos, in case we're at the end of the
+     * string. */
+    if (--n == 0)
+      return 1;
     if (buf_pos_inc(&p)<0)
       return 0;
   }
-  return 1;
 }
 
 /** Return the first position in <b>buf</b> at which the <b>n</b>-character
@@ -1137,7 +1143,6 @@
   if (!buf->head)
     return 0;
 
-  headers = buf->head->data;
   crlf_offset = buf_find_string_offset(buf, "\r\n\r\n", 4);
   if (crlf_offset > (int)max_headerlen ||
       (crlf_offset < 0 && buf->datalen > max_headerlen)) {
@@ -1153,6 +1158,7 @@
     buf_pullup(buf, crlf_offset+4, 0);
   headerlen = crlf_offset + 4;
 
+  headers = buf->head->data;
   bodylen = buf->datalen - headerlen;
   log_debug(LD_HTTP,"headerlen %d, bodylen %d.", (int)headerlen, (int)bodylen);
 

Modified: tor/trunk/src/or/test.c
===================================================================
--- tor/trunk/src/or/test.c	2008-02-20 23:58:48 UTC (rev 13634)
+++ tor/trunk/src/or/test.c	2008-02-21 02:10:38 UTC (rev 13635)
@@ -267,6 +267,7 @@
   test_eq(39, buf_find_string_offset(buf, "ing str", 7));
   test_eq(35, buf_find_string_offset(buf, "Testing str", 11));
   test_eq(32, buf_find_string_offset(buf, "ng ", 3));
+  test_eq(43, buf_find_string_offset(buf, "string.", 7));
   test_eq(-1, buf_find_string_offset(buf, "shrdlu", 6));
   test_eq(-1, buf_find_string_offset(buf, "Testing thing", 13));
   test_eq(-1, buf_find_string_offset(buf, "ngx", 3));