From cda56abf194eb70f00c8e6ce95ec31f226048f9f Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Wed, 31 Mar 2010 12:29:26 -0400
Subject: [PATCH] Fix critical bug in evbuffer_write when writev is not
 available

evbuffer_pullup() returns NULL if you try to pull up more bytes than
are there.  But evbuffer_write_atmost would sometimes ask for more
bytes to be pulled up than it had, get a NULL, and fail.
---
 buffer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/buffer.c b/buffer.c
index 5cbd10b1..3bec0c63 100644
--- a/buffer.c
+++ b/buffer.c
@@ -1969,7 +1969,7 @@ evbuffer_write_atmost(struct evbuffer *buffer, evutil_socket_t fd,
 		goto done;
 	}
 
-	if (howmuch < 0)
+	if (howmuch < 0 || howmuch > buffer->total_len)
 		howmuch = buffer->total_len;
 
 	{