Browse code

tcp: fix _wbufq_insert bug

When _wbufq_insert was called on a connection that had already
some data added to the write buffer (another process was faster
and added some data before the process that created the connection
had a chance to do it), a wrong size was used in a memmove.
This could lead either to corrupted messages or even crashes (if
the messages were big enough to cause a buffer overflow).

Many thanks to Jijo for debugging it.

Reported-by: Jijo

Andrei Pelinescu-Onciul authored on 01/10/2012 09:55:16
Showing 1 changed files
... ...
@@ -808,7 +808,7 @@ inline static int _wbufq_insert(struct  tcp_connection* c, const char* data,
808 808
 	}
809 809
 	if ((q->first==q->last) && ((q->last->b_size-q->last_used)>=size)){
810 810
 		/* one block with enough space in it for size bytes */
811
-		memmove(q->first->buf+size, q->first->buf, size);
811
+		memmove(q->first->buf+size, q->first->buf, q->last_used);
812 812
 		memcpy(q->first->buf, data, size);
813 813
 		q->last_used+=size;
814 814
 	}else{