From: Nick Mathewson Date: Wed, 26 Dec 2007 18:55:56 +0000 (+0000) Subject: r15717@tombo: nickm | 2007-12-26 13:55:53 -0500 X-Git-Tag: tor-0.2.0.16-alpha~88 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=80151b42df0011adf4c4798c51cb496c773d2e2b;p=thirdparty%2Ftor.git r15717@tombo: nickm | 2007-12-26 13:55:53 -0500 Oops. flush_buf_tls can request more than the requested number of bytes. When that happens, do not let the size_t sz wrap around. svn:r12988 --- diff --git a/src/or/buffers.c b/src/or/buffers.c index e446064c97..bf57a7a87c 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -678,7 +678,10 @@ flush_chunk_tls(tor_tls_t *tls, buf_t *buf, chunk_t *chunk, r = tor_tls_write(tls, chunk->data, sz); if (r < 0) return r; - *buf_flushlen -= r; + if (*buf_flushlen > (size_t)r) + *buf_flushlen -= r; + else + *buf_flushlen = 0; buf_remove_from_front(buf, r); log_debug(LD_NET,"flushed %d bytes, %d ready to flush, %d remain.", r,(int)*buf_flushlen,(int)buf->datalen); @@ -721,25 +724,28 @@ flush_buf(int s, buf_t *buf, size_t sz, size_t *buf_flushlen) } /** As flush_buf(), but writes data to a TLS connection. + * DOCDOC can write more than flushlen bytes. */ int -flush_buf_tls(tor_tls_t *tls, buf_t *buf, size_t sz, size_t *buf_flushlen) +flush_buf_tls(tor_tls_t *tls, buf_t *buf, size_t flushlen, size_t *buf_flushlen) { int r; size_t flushed = 0; + ssize_t sz; tor_assert(buf_flushlen); tor_assert(*buf_flushlen <= buf->datalen); - tor_assert(sz <= *buf_flushlen); + tor_assert(flushlen <= *buf_flushlen); + sz = (ssize_t) flushlen; /* we want to let tls write even if flushlen is zero, because it might * have a partial record pending */ check_no_tls_errors(); check(); - while (sz) { + while (sz >= 0) { size_t flushlen0; if (buf->head) { - if (buf->head->datalen >= sz) + if ((ssize_t)buf->head->datalen >= sz) flushlen0 = sz; else flushlen0 = buf->head->datalen;