From 90b4b4073f34919aa72deff61a5c9bc188c47c95 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 17 Jan 2011 22:39:47 +0100 Subject: [PATCH] sftp_read: avoid wrapping counter to insanity As pointed out in bug #206, if a second invoke of libssh2_sftp_read() would shrink the buffer size, libssh2 would go nuts and send out read requests like crazy. This was due to an unsigned variable turning "negative" by some wrong math, and that value would be the amount of data attempt to pre-buffer! Bug: http://trac.libssh2.org/ticket/206 --- src/sftp.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/sftp.c b/src/sftp.c index f6138e3..9e35676 100644 --- a/src/sftp.c +++ b/src/sftp.c @@ -1077,7 +1077,7 @@ static ssize_t sftp_read(LIBSSH2_SFTP_HANDLE * handle, char *buffer, LIBSSH2_SFTP *sftp = handle->sftp; LIBSSH2_CHANNEL *channel = sftp->channel; LIBSSH2_SESSION *session = channel->session; - size_t count; + size_t count = 0; struct sftp_pipeline_chunk *chunk; struct sftp_pipeline_chunk *next; ssize_t rc; @@ -1108,7 +1108,12 @@ static ssize_t sftp_read(LIBSSH2_SFTP_HANDLE * handle, char *buffer, /* We allow a number of bytes being requested at any given time without having been acked - until we reach EOF. */ - count = filep->eof?0:(buffer_size*4) - already; + if(!filep->eof) { + /* if the buffer_size passed in now is smaller than what has already + been sent, we risk getting count become a very large number */ + if((buffer_size*4) > already) + count = (buffer_size*4) - already; + } while(count > 0) { unsigned char *s;