From 1c864688bb45e576c6da32c976e92378548c3009 Mon Sep 17 00:00:00 2001 From: Jilles Tjoelker Date: Fri, 10 Oct 2014 23:56:16 +0200 Subject: [PATCH] linebuf: Fix possible memory corruption when receiving many CR/LF. The last byte of balloc.c's block pointer could be changed from 10 or 13 to 0. On amd64, this is not possible. On i386, this is possible and usually causes a crash soon. --- libratbox/src/linebuf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libratbox/src/linebuf.c b/libratbox/src/linebuf.c index 782e1831..ca3440ba 100644 --- a/libratbox/src/linebuf.c +++ b/libratbox/src/linebuf.c @@ -224,7 +224,8 @@ rb_linebuf_copy_line(buf_head_t * bufhead, buf_line_t * bufline, char *data, int /* This is the ~overflow case..This doesn't happen often.. */ if(cpylen > (BUF_DATA_SIZE - bufline->len - 1)) { - memcpy(bufch, ch, (BUF_DATA_SIZE - bufline->len - 1)); + cpylen = BUF_DATA_SIZE - bufline->len - 1; + memcpy(bufch, ch, cpylen); bufline->buf[BUF_DATA_SIZE - 1] = '\0'; bufch = bufline->buf + BUF_DATA_SIZE - 2; while(cpylen && (*bufch == '\r' || *bufch == '\n'))