From: Nick Mathewson <nickm@torproject.org>
Date: Tue, 3 Mar 2015 21:20:17 +0000 (+0100)
Subject: Do not leave empty, invalid chunks in buffers during buf_pullup
X-Git-Tag: tor-0.2.4.26~6^2^2~2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=71ee53fe9bdf3f64eef9b38de55960185e8be1b5;p=thirdparty%2Ftor.git

Do not leave empty, invalid chunks in buffers during buf_pullup

This fixes an assertion failure bug in 15083; bugfix on 0.2.0.10-alpha.

Patch from 'cypherpunks'
---

diff --git a/changes/bug15083 b/changes/bug15083
new file mode 100644
index 0000000000..98d1d0e535
--- /dev/null
+++ b/changes/bug15083
@@ -0,0 +1,6 @@
+  o Major bugfixes (relay, stability):
+    - Fix a bug that could lead to a relay crashing with an assertion
+      failure if a buffer of exactly the wrong layout was passed
+      to buf_pullup() at exactly the wrong time. Fixes bug 15083;
+      bugfix on 0.2.0.10-alpha. Patch from 'cypherpunks'.
+   
diff --git a/src/or/buffers.c b/src/or/buffers.c
index 9be0476f64..7976432793 100644
--- a/src/or/buffers.c
+++ b/src/or/buffers.c
@@ -426,7 +426,7 @@ buf_pullup(buf_t *buf, size_t bytes, int nulterminate)
     size_t n = bytes - dest->datalen;
     src = dest->next;
     tor_assert(src);
-    if (n > src->datalen) {
+    if (n >= src->datalen) {
       memcpy(CHUNK_WRITE_PTR(dest), src->data, src->datalen);
       dest->datalen += src->datalen;
       dest->next = src->next;