From ec098c6f9e2b9a7d8f1a0a078f1d0786618b20dd Mon Sep 17 00:00:00 2001 From: Dmitri Tikhonov Date: Wed, 6 Jan 2021 17:39:59 -0500 Subject: [PATCH] Release 2.24.6 - [BUGFIX] Memory corruption in receive history copy-ranges function. --- CHANGELOG | 4 ++++ docs/conf.py | 2 +- include/lsquic.h | 2 +- src/liblsquic/lsquic_rechist.c | 11 +++++++---- tests/test_rechist.c | 21 +++++++++++++++++++++ 5 files changed, 34 insertions(+), 6 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index b09af5347..8367b49ae 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,7 @@ +2021-01-06 + - 2.24.6 + - [BUGFIX] Memory corruption in receive history copy-ranges function. + 2020-11-24 - 2.24.5 - [FEATURE] Improve Delayed ACKs extension and turn it on by default. diff --git a/docs/conf.py b/docs/conf.py index 381560d34..f9e489993 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -26,7 +26,7 @@ # The short X.Y version version = u'2.24' # The full version, including alpha/beta/rc tags -release = u'2.24.5' +release = u'2.24.6' # -- General configuration --------------------------------------------------- diff --git a/include/lsquic.h b/include/lsquic.h index 4b39dc736..4fdec66f1 100644 --- a/include/lsquic.h +++ b/include/lsquic.h @@ -25,7 +25,7 @@ extern "C" { #define LSQUIC_MAJOR_VERSION 2 #define LSQUIC_MINOR_VERSION 24 -#define LSQUIC_PATCH_VERSION 5 +#define LSQUIC_PATCH_VERSION 6 /** * Engine flags: diff --git a/src/liblsquic/lsquic_rechist.c b/src/liblsquic/lsquic_rechist.c index 2ccc29c84..993ad7a04 100644 --- a/src/liblsquic/lsquic_rechist.c +++ b/src/liblsquic/lsquic_rechist.c @@ -496,13 +496,13 @@ lsquic_rechist_copy_ranges (struct lsquic_rechist *rechist, void *src_rechist, { const struct lsquic_packno_range *range; struct rechist_elem *el; - unsigned *next_idx; + unsigned prev_idx; int idx; /* This function only works if rechist contains no elements */ assert(rechist->rh_n_used == 0); - next_idx = &rechist->rh_head; + prev_idx = UINT_MAX; for (range = first(src_rechist); range; range = next(src_rechist)) { idx = rechist_alloc_elem(rechist); @@ -512,8 +512,11 @@ lsquic_rechist_copy_ranges (struct lsquic_rechist *rechist, void *src_rechist, el->re_low = range->low; el->re_count = range->high - range->low + 1; el->re_next = UINT_MAX; - *next_idx = idx; - next_idx = &el->re_next; + if (prev_idx == UINT_MAX) + rechist->rh_head = idx; + else + rechist->rh_elems[prev_idx].re_next = idx; + prev_idx = idx; } return 0; diff --git a/tests/test_rechist.c b/tests/test_rechist.c index 4949c58b9..4499ea35e 100644 --- a/tests/test_rechist.c +++ b/tests/test_rechist.c @@ -116,6 +116,23 @@ rechist2str (lsquic_rechist_t *rechist, char *buf, size_t bufsz) } +static void +test_range_copy (struct lsquic_rechist *orig, int ietf) +{ + char orig_str[0x1000], new_str[0x1000]; + struct lsquic_rechist new; + + rechist2str(orig, orig_str, sizeof(orig_str)); + + lsquic_rechist_init(&new, ietf, 0); + lsquic_rechist_copy_ranges(&new, orig, + (const struct lsquic_packno_range * (*) (void *)) lsquic_rechist_first, + (const struct lsquic_packno_range * (*) (void *)) lsquic_rechist_next); + rechist2str(&new, new_str, sizeof(new_str)); + assert(0 == strcmp(orig_str, new_str)); +} + + static void test5 (void) { @@ -150,6 +167,7 @@ test5 (void) assert(0 == strcmp(buf, "[12-12][10-10][8-6][4-3][1-1]")); lsquic_rechist_received(&rechist, 9, 0); + test_range_copy(&rechist, 0); rechist2str(&rechist, buf, sizeof(buf)); assert(0 == strcmp(buf, "[12-12][10-6][4-3][1-1]")); @@ -182,6 +200,8 @@ test_rand_sequence (unsigned seed, unsigned max) assert(st == REC_ST_OK || st == REC_ST_DUP); } + test_range_copy(&rechist, 1); + range = lsquic_rechist_first(&rechist); assert(range); assert(range->high >= range->low); @@ -246,6 +266,7 @@ test_shuffle_1000 (unsigned seed) st = lsquic_rechist_received(&rechist, els[i].packno, 0); assert(st == REC_ST_OK || st == REC_ST_DUP); } + test_range_copy(&rechist, 1); range = lsquic_rechist_first(&rechist); assert(range);