Fix a harmless off-by-one error in counting controller argument lengths

Bugfix on 0.1.1.1-alpha; found by boboper.

diff --git a/changes/bytecount b/changes/bytecount
new file mode 100644 (file)
index 0000000..50c4d6b
--- /dev/null
+++ b/changes/bytecount
@@ -0,0 +1,5 @@
+  o Minor bugfixes
+    - Fix a off-by-one error in calculating some controller command argument
+      lengths.  Fortunately, this is harmless, the controller code does
+      redundant NUL termination too.  Found by boboper.  Bugfix on
+      0.1.1.1-alpha.

diff --git a/src/or/control.c b/src/or/control.c
index 4d505a98fb4c26e60fe6db441c30be0d4c30db33..ad316c4ebcd617ea553cde4711fe0710dbe20b0b 100644 (file)
--- a/src/or/control.c
+++ b/src/or/control.c
@@ -2855,9 +2855,10 @@ connection_control_process_inbuf(control_connection_t *conn)
          && !TOR_ISSPACE(conn->incoming_cmd[cmd_len]))
     ++cmd_len;
 
-  data_len -= cmd_len;
   conn->incoming_cmd[cmd_len]='\0';
   args = conn->incoming_cmd+cmd_len+1;
+  tor_assert(data_len>(size_t)cmd_len);
+  data_len -= (cmd_len+1); /* skip the command and NUL we added after it */
   while (*args == ' ' || *args == '\t') {
     ++args;
     --data_len;