Release 2.27.2

- [BUGFIX] Memory corruption in receive history copy-ranges function.
2024-08-15 00:53:43 +00:00 · 2021-01-06 17:53:07 -05:00 · 2021-01-06 17:53:07 -05:00 · 1a0003e3b9
commit 1a0003e3b9
parent 06b2a2363e
8 changed files with 39 additions and 10 deletions
--- a/src/liblsquic/lsquic_full_conn_ietf.c
+++ b/src/liblsquic/lsquic_full_conn_ietf.c
@ -8076,7 +8076,8 @@ ietf_full_conn_ci_set_min_datagram_size (struct lsquic_conn *lconn,

    if (new_size > USHRT_MAX)
    {
-        LSQ_DEBUG("min datagram size cannot be larger than %hu", USHRT_MAX);
+        LSQ_DEBUG("min datagram size cannot be larger than %hu",
+                                                    (unsigned short) USHRT_MAX);
        return -1;
    }

--- a/src/liblsquic/lsquic_rechist.c
+++ b/src/liblsquic/lsquic_rechist.c
@ -496,13 +496,13 @@ lsquic_rechist_copy_ranges (struct lsquic_rechist *rechist, void *src_rechist,
 {
    const struct lsquic_packno_range *range;
    struct rechist_elem *el;
-    unsigned *next_idx;
+    unsigned prev_idx;
    int idx;

    /* This function only works if rechist contains no elements */
    assert(rechist->rh_n_used == 0);

-    next_idx = &rechist->rh_head;
+    prev_idx = UINT_MAX;
    for (range = first(src_rechist); range; range = next(src_rechist))
    {
        idx = rechist_alloc_elem(rechist);
@ -512,8 +512,11 @@ lsquic_rechist_copy_ranges (struct lsquic_rechist *rechist, void *src_rechist,
        el->re_low = range->low;
        el->re_count = range->high - range->low + 1;
        el->re_next = UINT_MAX;
-        *next_idx = idx;
-        next_idx = &el->re_next;
+        if (prev_idx == UINT_MAX)
+            rechist->rh_head = idx;
+        else
+            rechist->rh_elems[prev_idx].re_next = idx;
+        prev_idx = idx;
    }

    return 0;