From 72bbf1fbee0aa5e2410495980c1f9ce4385303a3 Mon Sep 17 00:00:00 2001 From: Dmitri Tikhonov Date: Mon, 6 Jan 2020 11:57:25 -0500 Subject: [PATCH] Release 2.8.5 - [BUGFIX] Fix unintended sign extension when removing header protection. --- CHANGELOG | 3 ++- include/lsquic.h | 2 +- src/liblsquic/lsquic_enc_sess_ietf.c | 6 +++--- src/liblsquic/lsquic_handshake.c | 6 +++--- src/liblsquic/lsquic_pr_queue.c | 6 +++--- 5 files changed, 12 insertions(+), 11 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index a3cd29874..0a99d78b2 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,5 @@ 2020-01-06 - - 2.8.4 + - 2.8.5 - [HTTP3] Verify number of bytes in incoming DATA frames against content-length. - [HTTP3] Stop issuing streams credits if peer stops opening QPACK @@ -8,6 +8,7 @@ Considerations in the QPACK draft. - [BUGFIX] Mini conn: don't shorten max packet size for Q050 and later. - [BUGFIX] Init IETF connection flow controller using correct setting. + - [BUGFIX] Fix unintended sign extension when removing header protection. - Code cleanup and minor fixes. 2019-12-30 diff --git a/include/lsquic.h b/include/lsquic.h index bc8f1ff6f..069a959c5 100644 --- a/include/lsquic.h +++ b/include/lsquic.h @@ -25,7 +25,7 @@ extern "C" { #define LSQUIC_MAJOR_VERSION 2 #define LSQUIC_MINOR_VERSION 8 -#define LSQUIC_PATCH_VERSION 4 +#define LSQUIC_PATCH_VERSION 5 /** * Engine flags: diff --git a/src/liblsquic/lsquic_enc_sess_ietf.c b/src/liblsquic/lsquic_enc_sess_ietf.c index 1ade646b5..ea96e183b 100644 --- a/src/liblsquic/lsquic_enc_sess_ietf.c +++ b/src/liblsquic/lsquic_enc_sess_ietf.c @@ -403,17 +403,17 @@ strip_hp (struct enc_sess_iquic *enc_sess, /* fall-through */ case 3: dst[packno_off + 2] ^= mask[3]; - packno |= dst[packno_off + 2] << shift; + packno |= (unsigned) dst[packno_off + 2] << shift; shift += 8; /* fall-through */ case 2: dst[packno_off + 1] ^= mask[2]; - packno |= dst[packno_off + 1] << shift; + packno |= (unsigned) dst[packno_off + 1] << shift; shift += 8; /* fall-through */ default: dst[packno_off + 0] ^= mask[1]; - packno |= dst[packno_off + 0] << shift; + packno |= (unsigned) dst[packno_off + 0] << shift; shift += 8; } pns = lsquic_enclev2pns[hp->hp_enc_level]; diff --git a/src/liblsquic/lsquic_handshake.c b/src/liblsquic/lsquic_handshake.c index 84ec6e73d..25c39c273 100644 --- a/src/liblsquic/lsquic_handshake.c +++ b/src/liblsquic/lsquic_handshake.c @@ -4095,17 +4095,17 @@ gquic2_strip_hp (struct lsquic_enc_session *enc_session, /* fall-through */ case 3: dst[packno_off + 2] ^= mask[3]; - packno |= dst[packno_off + 2] << shift; + packno |= (unsigned) dst[packno_off + 2] << shift; shift += 8; /* fall-through */ case 2: dst[packno_off + 1] ^= mask[2]; - packno |= dst[packno_off + 1] << shift; + packno |= (unsigned) dst[packno_off + 1] << shift; shift += 8; /* fall-through */ default: dst[packno_off + 0] ^= mask[1]; - packno |= dst[packno_off + 0] << shift; + packno |= (unsigned) dst[packno_off + 0] << shift; shift += 8; } return decode_packno(enc_session->es_max_packno, packno, shift); diff --git a/src/liblsquic/lsquic_pr_queue.c b/src/liblsquic/lsquic_pr_queue.c index 5e7ee9aae..fe9a595ea 100644 --- a/src/liblsquic/lsquic_pr_queue.c +++ b/src/liblsquic/lsquic_pr_queue.c @@ -311,7 +311,7 @@ lsquic_prq_new_req (struct pr_queue *prq, enum packet_req_type type, req->pr_type = type; req->pr_dcid = *dcid; - if (lsquic_hash_find(prq->prq_reqs_hash, req, sizeof(req))) + if (lsquic_hash_find(prq->prq_reqs_hash, req, sizeof(*req))) { LSQ_DEBUG("request for this DCID and type already exists"); put_req(prq, req); @@ -319,7 +319,7 @@ lsquic_prq_new_req (struct pr_queue *prq, enum packet_req_type type, } req->pr_hash_el.qhe_flags = 0; - if (!lsquic_hash_insert(prq->prq_reqs_hash, req, sizeof(req), + if (!lsquic_hash_insert(prq->prq_reqs_hash, req, sizeof(*req), req, &req->pr_hash_el)) { LSQ_DEBUG("could not insert req into hash"); @@ -332,7 +332,7 @@ lsquic_prq_new_req (struct pr_queue *prq, enum packet_req_type type, req->pr_version = version; req->pr_scid = *scid; req->pr_path.np_peer_ctx = peer_ctx; - memcpy(NP_LOCAL_SA(&req->pr_path), local_addr, + memcpy(req->pr_path.np_local_addr, local_addr, sizeof(req->pr_path.np_local_addr)); memcpy(NP_PEER_SA(&req->pr_path), peer_addr, sizeof(req->pr_path.np_peer_addr));