From 7116bf231433d565da33cee3b7292e212e026c7d Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 15 Feb 2010 21:03:52 -0500 Subject: [PATCH] Fix two unlocked reads in evbuffer. Some initializers (in evbuffer_read and evbuffer_commit) were reading the last and/or previous_to_last fields without grabbing the evbuffer lock. This may fix a hard-to-trigger race condition or two. --- buffer.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/buffer.c b/buffer.c index e098df79..8624f0ec 100644 --- a/buffer.c +++ b/buffer.c @@ -535,13 +535,15 @@ int evbuffer_commit_space(struct evbuffer *buf, struct evbuffer_iovec *vec, int n_vecs) { - struct evbuffer_chain *prev = buf->previous_to_last; - struct evbuffer_chain *last = buf->last; + struct evbuffer_chain *last, *prev; int result = -1; size_t added; - EVBUFFER_LOCK(buf); + + prev = buf->previous_to_last; + last = buf->last; + if (buf->freeze_end) goto done; if (n_vecs < 1 || n_vecs > 2) @@ -1616,7 +1618,7 @@ _evbuffer_read_setup_vecs(struct evbuffer *buf, ev_ssize_t howmuch, int evbuffer_read(struct evbuffer *buf, evutil_socket_t fd, int howmuch) { - struct evbuffer_chain *chain = buf->last; + struct evbuffer_chain *chain; int n = EVBUFFER_MAX_READ; int result; @@ -1631,6 +1633,8 @@ evbuffer_read(struct evbuffer *buf, evutil_socket_t fd, int howmuch) EVBUFFER_LOCK(buf); + chain = buf->last; + if (buf->freeze_end) { result = -1; goto done;