diff options
| author | Nick Mathewson <nickm@torproject.org> | 2013-05-08 12:04:18 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2013-05-09 13:10:48 -0400 |
| commit | 00e2310f12dfb91aca2949463b57bd6937f19166 (patch) | |
| tree | 5ea0e332e40d233d798f17e48f18aceb4ebc4de6 /src/or/buffers.c | |
| parent | 39ac1db60e8b920e1e6b07e08f7f3343960ece79 (diff) | |
| download | tor-00e2310f12dfb91aca2949463b57bd6937f19166.tar tor-00e2310f12dfb91aca2949463b57bd6937f19166.tar.gz | |
Don't run off the end of the array-of-freelists
This is a fix for bug 8844, where eugenis correctly notes that there's
a sentinel value at the end of the list-of-freelists that's never
actually checked. It's a bug since the first version of the chunked
buffer code back in 0.2.0.16-alpha.
This would probably be a crash bug if it ever happens, but nobody's
ever reported something like this, so I'm unsure whether it can occur.
It would require write_to_buf, write_to_buf_zlib, read_to_buf, or
read_to_buf_tls to get an input size of more than 32K. Still, it's a
good idea to fix this kind of thing!
Diffstat (limited to 'src/or/buffers.c')
| -rw-r--r-- | src/or/buffers.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/or/buffers.c b/src/or/buffers.c index ad5ab83e4..9be0476f6 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -147,7 +147,8 @@ static INLINE chunk_freelist_t * get_freelist(size_t alloc) { int i; - for (i=0; freelists[i].alloc_size <= alloc; ++i) { + for (i=0; (freelists[i].alloc_size <= alloc && + freelists[i].alloc_size); ++i ) { if (freelists[i].alloc_size == alloc) { return &freelists[i]; } |