git:3.3: tcp: fix _wbufq_insert bug - sr-dev

5 Oct 2012

Module: sip-router
Branch: 3.3
Commit: 8732b63bf5371914ba0267a22f45aacefe062ad4
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=8732b63b...
Author: Andrei Pelinescu-Onciul andrei@iptel.org
Committer: Daniel-Constantin Mierla miconda@gmail.com
Date:   Mon Oct  1 11:55:16 2012 +0200
tcp: fix _wbufq_insert bug
When _wbufq_insert was called on a connection that had already
some data added to the write buffer (another process was faster
and added some data before the process that created the connection
had a chance to do it), a wrong size was used in a memmove.
This could lead either to corrupted messages or even crashes (if
 the messages were big enough to cause a buffer overflow).
Many thanks to Jijo for debugging it.
Reported-by: Jijo
(cherry picked from commit 745e30c92336bfc3f8682b2c23e02862db688d9e)
---
tcp_main.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/tcp_main.c b/tcp_main.c
index d629647..cc78878 100644
--- a/tcp_main.c
+++ b/tcp_main.c
@@ -808,7 +808,7 @@ inline static int _wbufq_insert(struct  tcp_connection* c, const char* data,
    }
    if ((q->first==q->last) && ((q->last->b_size-q->last_used)>=size)){
    	/* one block with enough space in it for size bytes */
-		memmove(q->first->buf+size, q->first->buf, size);
+		memmove(q->first->buf+size, q->first->buf, q->last_used);
    	memcpy(q->first->buf, data, size);
    	q->last_used+=size;
    }else{

    