expand_buf: fix conditional for when we need to preserve existing data

It is possible for the buffer offset to be zero when the length is
non-zero.  The proper value to use is the same as is used for the
memcpy/memmove size.  Fixes buffer corruption caused by a very long
command line that usually results in a dropped connection.

1 files changed, 4 insertions, 2 deletions

diff --git a/logsrvd/logsrv_util.c b/logsrvd/logsrv_util.c
index c6ff65ae4..ea16f00da 100644
--- a/logsrvd/logsrv_util.c
+++ b/logsrvd/logsrv_util.c
@@ -58,18 +58,20 @@ expand_buf(struct connection_buffer *buf, unsigned int needed)
     if (buf->size < needed) {
 	/* Expand buffer. */
 	needed = sudo_pow2_roundup(needed);
+	sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+	    "expanding buffer from %u to %u", buf->size, needed);
 	if ((newdata = malloc(needed)) == NULL) {
 	    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 	    debug_return_bool(false);
 	}
-	if (buf->off > 0)
+	if (buf->len - buf->off > 0)
 	    memcpy(newdata, buf->data + buf->off, buf->len - buf->off);
 	free(buf->data);
 	buf->data = newdata;
 	buf->size = needed;
     } else {
 	/* Just reset existing buffer. */
-	if (buf->off > 0) {
+	if (buf->len - buf->off > 0) {
 	    memmove(buf->data, buf->data + buf->off,
 		buf->len - buf->off);
 	}