diff options
author | Todd C. Miller <Todd.Miller@sudo.ws> | 2021-09-28 13:24:21 -0600 |
---|---|---|
committer | Todd C. Miller <Todd.Miller@sudo.ws> | 2021-09-28 13:24:21 -0600 |
commit | 7147ebf7d9052f8f4b209b29aee497b2dd3fb42e (patch) | |
tree | f08c9e8a63d4abe9a7a2b0bc0ff0b2248e98858d /logsrvd | |
parent | 03d00189a03608c0e62acb6ada1a653ae56ef0c9 (diff) | |
download | sudo-7147ebf7d9052f8f4b209b29aee497b2dd3fb42e.tar.gz |
expand_buf: fix conditional for when we need to preserve existing data
It is possible for the buffer offset to be zero when the length is
non-zero. The proper value to use is the same as is used for the
memcpy/memmove size. Fixes buffer corruption caused by a very long
command line that usually results in a dropped connection.
Diffstat (limited to 'logsrvd')
-rw-r--r-- | logsrvd/logsrv_util.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/logsrvd/logsrv_util.c b/logsrvd/logsrv_util.c index c6ff65ae4..ea16f00da 100644 --- a/logsrvd/logsrv_util.c +++ b/logsrvd/logsrv_util.c @@ -58,18 +58,20 @@ expand_buf(struct connection_buffer *buf, unsigned int needed) if (buf->size < needed) { /* Expand buffer. */ needed = sudo_pow2_roundup(needed); + sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, + "expanding buffer from %u to %u", buf->size, needed); if ((newdata = malloc(needed)) == NULL) { sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); debug_return_bool(false); } - if (buf->off > 0) + if (buf->len - buf->off > 0) memcpy(newdata, buf->data + buf->off, buf->len - buf->off); free(buf->data); buf->data = newdata; buf->size = needed; } else { /* Just reset existing buffer. */ - if (buf->off > 0) { + if (buf->len - buf->off > 0) { memmove(buf->data, buf->data + buf->off, buf->len - buf->off); } |