]> jfr.im git - irc/freenode/ircd-seven.git/commitdiff
projects / irc / freenode / ircd-seven.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side (parent: 5d4a995)
linebuf: Fix possible memory corruption when receiving many CR/LF.
authorJilles Tjoelker <redacted>
Fri, 10 Oct 2014 21:56:16 +0000 (23:56 +0200)
committerJilles Tjoelker <redacted>
Wed, 5 Nov 2014 20:42:35 +0000 (21:42 +0100)
The last byte of balloc.c's block pointer could be changed from 10 or 13 to
0. On amd64, this is not possible. On i386, this is possible and usually
causes a crash soon.

libratbox/src/linebuf.c patch | blob | blame | history

diff --git a/libratbox/src/linebuf.c b/libratbox/src/linebuf.c
index 782e183130a0132f18d7ec4cb8704dd8ae84a22c..ca3440ba5f9fe0c51a85430b6806a3b37d87fa74 100644 (file)
--- a/libratbox/src/linebuf.c
+++ b/libratbox/src/linebuf.c
@@ -224,7 +224,8 @@ rb_linebuf_copy_line(buf_head_t * bufhead, buf_line_t * bufline, char *data, int
        /* This is the ~overflow case..This doesn't happen often.. */
        if(cpylen > (BUF_DATA_SIZE - bufline->len - 1))
        {
-               memcpy(bufch, ch, (BUF_DATA_SIZE - bufline->len - 1));
+               cpylen = BUF_DATA_SIZE - bufline->len - 1;
+               memcpy(bufch, ch, cpylen);
                bufline->buf[BUF_DATA_SIZE - 1] = '\0';
                bufch = bufline->buf + BUF_DATA_SIZE - 2;
                while(cpylen && (*bufch == '\r' || *bufch == '\n'))
Unnamed repository; edit this file 'description' to name the repository.