crypto: fix another over-run in bio

When doing `FreeEmpty`, `NodeBIO` skips pre-allocated `head_` buffer. However this might lead to double-freeing buffers since in `~NodeBIO()` we're starting deallocation from `head_` buffer.
fhinkel · Aug 3, 2013 · e5791f7 · e5791f7
1 parent 350fc80
commit e5791f7
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/src/node_crypto_bio.cc b/src/node_crypto_bio.cc
@@ -232,21 +232,24 @@ void NodeBIO::FreeEmpty() {
   if (cur == write_head_ || cur == read_head_)
     return;
 
+  Buffer* prev = child;
   while (cur != read_head_) {
-    // Skip embedded buffer
+    // Skip embedded buffer, and continue deallocating again starting from it
     if (cur == &head_) {
+      prev->next_ = cur;
+      prev = cur;
       cur = head_.next_;
       continue;
     }
     assert(cur != write_head_);
     assert(cur->write_pos_ == cur->read_pos_);
 
     Buffer* next = cur->next_;
-    child->next_ = next;
     delete cur;
-
     cur = next;
   }
+  assert(prev == child || prev == &head_);
+  prev->next_ = cur;
 }