From 58a1cc6bc8d4c309a6d8a7bd937479615d4bbffc Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Mon, 25 Oct 2010 16:00:47 -0400
Subject: [PATCH] Fix a bug where we would read too much data in HTTP bodies or
 requests.

We were using evbuffer_add_buffer, which moved the entire buffer
contents.  But if we had a valid content_length, we only wanted to
move up to the amount of data remaining in ntoread.  Our bug would
make us put our ntoread in the negative, which would in turn make us
read all data until the connection closed.

Found by Denis Bilenko.  Should fix bug 2963172.
---
 http.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/http.c b/http.c
index be2b12fe..526244ae 100644
--- a/http.c
+++ b/http.c
@@ -880,9 +880,12 @@ evhttp_read_body(struct evhttp_connection *evcon, struct evhttp_request *req)
 	    evbuffer_get_length(buf) >= (size_t)req->ntoread) {
 		/* We've postponed moving the data until now, but we're
 		 * about to use it. */
-		req->ntoread -= evbuffer_get_length(buf);
-		req->body_size += evbuffer_get_length(buf);
-		evbuffer_add_buffer(req->input_buffer, buf);
+		size_t n = evbuffer_get_length(buf);
+		if (n > (size_t) req->ntoread)
+			n = (size_t) req->ntoread;
+		req->ntoread -= n;
+		req->body_size += n;
+		evbuffer_remove_buffer(buf, req->input_buffer, n);
 	}
 
 	if (req->body_size > req->evcon->max_body_size) {