From: Nick Mathewson <nickm@torproject.org>
Date: Mon, 18 Oct 2010 18:38:48 +0000 (-0400)
Subject: Do not silently truncate URIs in evhttp_uri_join. Also avoid evbuffer_pullup.
X-Git-Tag: release-2.0.9-rc~59^2~8
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7d45431e15dc0d8aa88fddc4fc406e19fe54d004;p=libevent

Do not silently truncate URIs in evhttp_uri_join. Also avoid evbuffer_pullup.
---

diff --git a/http.c b/http.c
index 7677e493..ba2d528b 100644
--- a/http.c
+++ b/http.c
@@ -3437,10 +3437,9 @@ void evhttp_uri_free(struct evhttp_uri *uri)
 }
 
 char *
-evhttp_uri_join(struct evhttp_uri *uri, void *buf, size_t limit)
+evhttp_uri_join(struct evhttp_uri *uri, char *buf, size_t limit)
 {
 	struct evbuffer *tmp = 0;
-	unsigned char *joined = 0;
 	size_t joined_size = 0;
 
 #define _URI_ADD(f)	evbuffer_add(tmp, uri->f, strlen(uri->f))
@@ -3482,15 +3481,15 @@ evhttp_uri_join(struct evhttp_uri *uri, void *buf, size_t limit)
 
 	evbuffer_add(tmp, "\0", 1); /* NUL */
 
-	joined = evbuffer_pullup(tmp, -1);
 	joined_size = evbuffer_get_length(tmp);
 
-	if (joined_size < limit)
-		memcpy(buf, joined, joined_size);
-	else {
-		memcpy(buf, joined, limit-1);
-		*((char *)buf+ limit - 1) = '\0';
+	if (joined_size > limit) {
+		/* It doesn't fit. */
+		evbuffer_free(tmp);
+		return NULL;
 	}
+       	evbuffer_remove(tmp, buf, joined_size);
+
 	evbuffer_free(tmp);
 
 	return (char *)buf;
diff --git a/include/event2/http.h b/include/event2/http.h
index 9293270d..655ff254 100644
--- a/include/event2/http.h
+++ b/include/event2/http.h
@@ -637,7 +637,7 @@ void evhttp_uri_free(struct evhttp_uri *uri);
  * @return an joined uri as string or NULL on error
    @see evhttp_uri_parse()
  */
-char *evhttp_uri_join(struct evhttp_uri *uri, void *buf, size_t limit);
+char *evhttp_uri_join(struct evhttp_uri *uri, char *buf, size_t limit);
 
 #ifdef __cplusplus
 }