From: Michael Poole <mdpoole@troilus.org>
Date: Sun, 11 Mar 2007 15:59:07 +0000 (-0400)
Subject: Avoid possible one-byte overrun in ioset_line_read().
X-Git-Tag: v1.4.0-rc1~59
X-Git-Url: http://git.pk910.de/?a=commitdiff_plain;h=51cae93b35b52f61992dc93fb845dc7491e33943;hp=b78dd41ac380362285852878d19ff323c087aee7;p=srvx.git

Avoid possible one-byte overrun in ioset_line_read().

src/ioset.c (ioset_line_read): We can safely overwrite dest[max-1] to
  terminate the buffer.  Also return the available line length, rather
  than the number of bytes written to the buffer.
---

diff --git a/src/ioset.c b/src/ioset.c
index d2e1eb2..9cf1c43 100644
--- a/src/ioset.c
+++ b/src/ioset.c
@@ -452,18 +452,21 @@ ioset_buffered_read(struct io_fd *fd) {
 
 int
 ioset_line_read(struct io_fd *fd, char *dest, int max) {
-    int avail, done;
-    if ((fd->state == IO_CLOSED) && (!ioq_get_avail(&fd->recv) ||  (fd->line_len < 0)))
+    int line_len;
+    int avail;
+    int done;
+
+    line_len = fd->line_len;
+    if ((fd->state == IO_CLOSED) && (!ioq_get_avail(&fd->recv) ||  (line_len < 0)))
         return 0;
-    if (fd->line_len < 0)
+    if (line_len < 0)
         return -1;
-    if (fd->line_len < max)
-        max = fd->line_len;
+    if (line_len < max)
+        max = line_len;
     avail = ioq_get_avail(&fd->recv);
     if (max > avail) {
         memcpy(dest, fd->recv.buf + fd->recv.get, avail);
-        fd->recv.get += avail;
-        assert(fd->recv.get == fd->recv.size);
+        assert(fd->recv.get + avail == fd->recv.size);
         fd->recv.get = 0;
         done = avail;
     } else {
@@ -473,9 +476,9 @@ ioset_line_read(struct io_fd *fd, char *dest, int max) {
     fd->recv.get += max - done;
     if (fd->recv.get == fd->recv.size)
         fd->recv.get = 0;
-    dest[max] = 0;
+    dest[max - 1] = 0;
     ioset_find_line_length(fd);
-    return max;
+    return line_len;
 }
 
 void