Hi Ken,
thanks for the bug report. Your regression test was good.
Unfortunately, the fix was buggy :-) Here is what I plan on
submitting as a fix:
Index: buffer.c
===================================================================
--- buffer.c (revision 351)
+++ buffer.c (working copy)
@@ -431,13 +431,12 @@
u_char *
evbuffer_find(struct evbuffer *buffer, const u_char *what, size_t len)
{
- size_t remain = buffer->off;
- u_char *search = buffer->buffer;
+ u_char *search = buffer->buffer, *end = search + buffer->off;
u_char *p;
- while ((p = memchr(search, *what, remain)) != NULL) {
- remain = buffer->off - (size_t)(search - buffer->buffer);
- if (remain < len)
+ while (search < end &&
+ (p = memchr(search, *what, end - search)) != NULL) {
+ if (p + len > end)
break;
if (memcmp(p, what, len) == 0)
return (p);
Thanks,
Niels.
On 4/16/07, Ken Cox <[EMAIL PROTECTED]> wrote:
Greetings,
We found an error where evbuffer_find(buf,"\r\n",2) would find only a bare
"\r" at the end of the buffer, if there happened to be a leftover "\n" in
the next byte. I added new tests to regress.c to show the bug and the
error which is visible on FC6 with valgrind. I'm not certain that the
enclosed fix is the most concise one possible, but it fixes the bug and
the valgrind error.
Regards,
Ken Cox
k e n s t i r a t v i v o x d o t c o m
_______________________________________________
Libevent-users mailing list
[email protected]
http://monkey.org/mailman/listinfo/libevent-users
_______________________________________________
Libevent-users mailing list
[email protected]
http://monkey.org/mailman/listinfo/libevent-users
