From: Simon Tatham <anakin@pobox.com>
Date: Mon, 22 Sep 2014 09:28:05 +0000 (+0100)
Subject: SECURITY: fixed fix to buffer handling
X-Git-Tag: base.fuzz-slip-decoder.2~1
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=secnet.git;a=commitdiff_plain;h=2ec49059fbb09a119ede30da946b46e98c58199c

SECURITY: fixed fix to buffer handling

The implementation of buf_remaining_space in 92795040 was entirely
broken.  It failed to take buf->size into account at all !

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---

diff --git a/util.h b/util.h
index 29b68e7..5866e57 100644
--- a/util.h
+++ b/util.h
@@ -31,7 +31,7 @@ extern void *buf_unprepend(struct buffer_if *buf, int32_t amount);
 
 static inline int32_t buf_remaining_space(const struct buffer_if *buf)
 {
-    return (buf->base + buf->alloclen) - buf->start;
+    return (buf->base + buf->alloclen) - (buf->start + buf->size);
 }
 
 extern void buffer_readonly_view(struct buffer_if *n, const void*, int32_t len);