From dea7e6aefdfde992b65f3b6e259e7e88670ef512 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Tue, 28 Sep 2021 13:24:21 -0600
Subject: [PATCH] expand_buf: fix conditional for when we need to preserve
 existing data It is possible for the buffer offset to be zero when the length
 is non-zero.  The proper value to use is the same as is used for the
 memcpy/memmove size.  Fixes buffer corruption caused by a very long command
 line that usually results in a dropped connection.

---
 logsrvd/logsrv_util.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/logsrvd/logsrv_util.c b/logsrvd/logsrv_util.c
index c6ff65ae4..ea16f00da 100644
--- a/logsrvd/logsrv_util.c
+++ b/logsrvd/logsrv_util.c
@@ -58,18 +58,20 @@ expand_buf(struct connection_buffer *buf, unsigned int needed)
     if (buf->size < needed) {
 	/* Expand buffer. */
 	needed = sudo_pow2_roundup(needed);
+	sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+	    "expanding buffer from %u to %u", buf->size, needed);
 	if ((newdata = malloc(needed)) == NULL) {
 	    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 	    debug_return_bool(false);
 	}
-	if (buf->off > 0)
+	if (buf->len - buf->off > 0)
 	    memcpy(newdata, buf->data + buf->off, buf->len - buf->off);
 	free(buf->data);
 	buf->data = newdata;
 	buf->size = needed;
     } else {
 	/* Just reset existing buffer. */
-	if (buf->off > 0) {
+	if (buf->len - buf->off > 0) {
 	    memmove(buf->data, buf->data + buf->off,
 		buf->len - buf->off);
 	}