Release 2.24.6

- [BUGFIX] Memory corruption in receive history copy-ranges function.
2021-01-06 17:39:59 -05:00 · 2021-01-06 17:39:59 -05:00 · ec098c6f9e
parent 57fe5a13ac
commit ec098c6f9e
5 changed files with 34 additions and 6 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+2021-01-06
+    - 2.24.6
+    - [BUGFIX] Memory corruption in receive history copy-ranges function.
+
 2020-11-24
    - 2.24.5
    - [FEATURE] Improve Delayed ACKs extension and turn it on by default.
--- a/docs/conf.py
+++ b/docs/conf.py
@ -26,7 +26,7 @@ author = u'LiteSpeed Technologies'
 # The short X.Y version
 version = u'2.24'
 # The full version, including alpha/beta/rc tags
-release = u'2.24.5'
+release = u'2.24.6'


 # -- General configuration ---------------------------------------------------
--- a/include/lsquic.h
+++ b/include/lsquic.h
@ -25,7 +25,7 @@ extern "C" {

 #define LSQUIC_MAJOR_VERSION 2
 #define LSQUIC_MINOR_VERSION 24
-#define LSQUIC_PATCH_VERSION 5
+#define LSQUIC_PATCH_VERSION 6

 /**
 * Engine flags:
--- a/src/liblsquic/lsquic_rechist.c
+++ b/src/liblsquic/lsquic_rechist.c
@ -496,13 +496,13 @@ lsquic_rechist_copy_ranges (struct lsquic_rechist *rechist, void *src_rechist,
 {
    const struct lsquic_packno_range *range;
    struct rechist_elem *el;
-    unsigned *next_idx;
+    unsigned prev_idx;
    int idx;

    /* This function only works if rechist contains no elements */
    assert(rechist->rh_n_used == 0);

-    next_idx = &rechist->rh_head;
+    prev_idx = UINT_MAX;
    for (range = first(src_rechist); range; range = next(src_rechist))
    {
        idx = rechist_alloc_elem(rechist);
@ -512,8 +512,11 @@ lsquic_rechist_copy_ranges (struct lsquic_rechist *rechist, void *src_rechist,
        el->re_low = range->low;
        el->re_count = range->high - range->low + 1;
        el->re_next = UINT_MAX;
-        *next_idx = idx;
-        next_idx = &el->re_next;
+        if (prev_idx == UINT_MAX)
+            rechist->rh_head = idx;
+        else
+            rechist->rh_elems[prev_idx].re_next = idx;
+        prev_idx = idx;
    }

    return 0;
--- a/tests/test_rechist.c
+++ b/tests/test_rechist.c
@ -116,6 +116,23 @@ rechist2str (lsquic_rechist_t *rechist, char *buf, size_t bufsz)
 }


+static void
+test_range_copy (struct lsquic_rechist *orig, int ietf)
+{
+    char orig_str[0x1000], new_str[0x1000];
+    struct lsquic_rechist new;
+
+    rechist2str(orig, orig_str, sizeof(orig_str));
+
+    lsquic_rechist_init(&new, ietf, 0);
+    lsquic_rechist_copy_ranges(&new, orig,
+        (const struct lsquic_packno_range * (*) (void *)) lsquic_rechist_first,
+        (const struct lsquic_packno_range * (*) (void *)) lsquic_rechist_next);
+    rechist2str(&new, new_str, sizeof(new_str));
+    assert(0 == strcmp(orig_str, new_str));
+}
+
+
 static void
 test5 (void)
 {
@ -150,6 +167,7 @@ test5 (void)
    assert(0 == strcmp(buf, "[12-12][10-10][8-6][4-3][1-1]"));

    lsquic_rechist_received(&rechist, 9, 0);
+    test_range_copy(&rechist, 0);

    rechist2str(&rechist, buf, sizeof(buf));
    assert(0 == strcmp(buf, "[12-12][10-6][4-3][1-1]"));
@ -182,6 +200,8 @@ test_rand_sequence (unsigned seed, unsigned max)
        assert(st == REC_ST_OK || st == REC_ST_DUP);
    }

+    test_range_copy(&rechist, 1);
+
    range = lsquic_rechist_first(&rechist);
    assert(range);
    assert(range->high >= range->low);
@ -246,6 +266,7 @@ test_shuffle_1000 (unsigned seed)
        st = lsquic_rechist_received(&rechist, els[i].packno, 0);
        assert(st == REC_ST_OK || st == REC_ST_DUP);
    }
+    test_range_copy(&rechist, 1);

    range = lsquic_rechist_first(&rechist);
    assert(range);