[sr-dev] git:3.3: tcp: fix _wbufq_insert bug

Daniel-Constantin Mierla miconda at gmail.com
Fri Oct 5 16:24:27 CEST 2012


Module: sip-router
Branch: 3.3
Commit: 8732b63bf5371914ba0267a22f45aacefe062ad4
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=8732b63bf5371914ba0267a22f45aacefe062ad4

Author: Andrei Pelinescu-Onciul <andrei at iptel.org>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date:   Mon Oct  1 11:55:16 2012 +0200

tcp: fix _wbufq_insert bug

When _wbufq_insert was called on a connection that had already
some data added to the write buffer (another process was faster
and added some data before the process that created the connection
had a chance to do it), a wrong size was used in a memmove.
This could lead either to corrupted messages or even crashes (if
 the messages were big enough to cause a buffer overflow).

Many thanks to Jijo for debugging it.

Reported-by: Jijo
(cherry picked from commit 745e30c92336bfc3f8682b2c23e02862db688d9e)

---

 tcp_main.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/tcp_main.c b/tcp_main.c
index d629647..cc78878 100644
--- a/tcp_main.c
+++ b/tcp_main.c
@@ -808,7 +808,7 @@ inline static int _wbufq_insert(struct  tcp_connection* c, const char* data,
 	}
 	if ((q->first==q->last) && ((q->last->b_size-q->last_used)>=size)){
 		/* one block with enough space in it for size bytes */
-		memmove(q->first->buf+size, q->first->buf, size);
+		memmove(q->first->buf+size, q->first->buf, q->last_used);
 		memcpy(q->first->buf, data, size);
 		q->last_used+=size;
 	}else{




More information about the sr-dev mailing list