From ec6bfd033566562730d2f37333b3f26bf0ba1391 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Thu, 23 Apr 2009 21:41:53 +0000
Subject: [PATCH] Fix for evbuffer_read() when all data fits in penultimate
 chain.

Previously we were reading into the next-to-last chain, but incrementing
the fullness of the last.  Bug found by Victor Goya.

svn:r1237
---
 buffer.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/buffer.c b/buffer.c
index b506d570..cb480388 100644
--- a/buffer.c
+++ b/buffer.c
@@ -1470,9 +1470,11 @@ _evbuffer_read_setup_vecs(struct evbuffer *buf, ssize_t howmuch,
 		if (vecs[0].IOV_LEN_FIELD >= howmuch) {
 			/* The next-to-last chain has enough
 			 * space on its own. */
+			chain = prev;
 			nvecs = 1;
 		} else {
 			/* We'll need both chains. */
+			chain = prev;
 			nvecs = 2;
 			if (vecs[0].IOV_LEN_FIELD + vecs[1].IOV_LEN_FIELD > howmuch) {
 				vecs[1].IOV_LEN_FIELD = howmuch - vecs[0].IOV_LEN_FIELD;
@@ -1604,12 +1606,12 @@ evbuffer_read(struct evbuffer *buf, evutil_socket_t fd, int howmuch)
 
 #ifdef USE_IOVEC_IMPL
 	if (nvecs == 2) {
-		size_t space = CHAIN_SPACE_LEN(buf->previous_to_last);
-        		if (space < n) {
-			buf->previous_to_last->off += space;
-			chain->off += n-space;
+		size_t space = CHAIN_SPACE_LEN(chain);
+		if (space < n) {
+			chain->off += space;
+			chain->next->off += n-space;
 		} else {
-			buf->previous_to_last->off += n;
+			chain->off += n;
 		}
 	} else {
 		chain->off += n;