Release 2.24.6

- [BUGFIX] Memory corruption in receive history copy-ranges function.
litespeedtech · Jan 6, 2021 · ec098c6 · ec098c6
1 parent 57fe5a1
commit ec098c6
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 6 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,7 @@
+2021-01-06
+    - 2.24.6
+    - [BUGFIX] Memory corruption in receive history copy-ranges function.
+
 2020-11-24
     - 2.24.5
     - [FEATURE] Improve Delayed ACKs extension and turn it on by default.

diff --git a/docs/conf.py b/docs/conf.py
@@ -26,7 +26,7 @@
 # The short X.Y version
 version = u'2.24'
 # The full version, including alpha/beta/rc tags
-release = u'2.24.5'
+release = u'2.24.6'
 
 
 # -- General configuration ---------------------------------------------------

diff --git a/include/lsquic.h b/include/lsquic.h
@@ -25,7 +25,7 @@ extern "C" {
 
 #define LSQUIC_MAJOR_VERSION 2
 #define LSQUIC_MINOR_VERSION 24
-#define LSQUIC_PATCH_VERSION 5
+#define LSQUIC_PATCH_VERSION 6
 
 /**
  * Engine flags:

diff --git a/src/liblsquic/lsquic_rechist.c b/src/liblsquic/lsquic_rechist.c
@@ -496,13 +496,13 @@ lsquic_rechist_copy_ranges (struct lsquic_rechist *rechist, void *src_rechist,
 {
     const struct lsquic_packno_range *range;
     struct rechist_elem *el;
-    unsigned *next_idx;
+    unsigned prev_idx;
     int idx;
 
     /* This function only works if rechist contains no elements */
     assert(rechist->rh_n_used == 0);
 
-    next_idx = &rechist->rh_head;
+    prev_idx = UINT_MAX;
     for (range = first(src_rechist); range; range = next(src_rechist))
     {
         idx = rechist_alloc_elem(rechist);
@@ -512,8 +512,11 @@ lsquic_rechist_copy_ranges (struct lsquic_rechist *rechist, void *src_rechist,
         el->re_low = range->low;
         el->re_count = range->high - range->low + 1;
         el->re_next = UINT_MAX;
-        *next_idx = idx;
-        next_idx = &el->re_next;
+        if (prev_idx == UINT_MAX)
+            rechist->rh_head = idx;
+        else
+            rechist->rh_elems[prev_idx].re_next = idx;
+        prev_idx = idx;
     }
 
     return 0;

diff --git a/tests/test_rechist.c b/tests/test_rechist.c
@@ -116,6 +116,23 @@ rechist2str (lsquic_rechist_t *rechist, char *buf, size_t bufsz)
 }
 
 
+static void
+test_range_copy (struct lsquic_rechist *orig, int ietf)
+{
+    char orig_str[0x1000], new_str[0x1000];
+    struct lsquic_rechist new;
+
+    rechist2str(orig, orig_str, sizeof(orig_str));
+
+    lsquic_rechist_init(&new, ietf, 0);
+    lsquic_rechist_copy_ranges(&new, orig,
+        (const struct lsquic_packno_range * (*) (void *)) lsquic_rechist_first,
+        (const struct lsquic_packno_range * (*) (void *)) lsquic_rechist_next);
+    rechist2str(&new, new_str, sizeof(new_str));
+    assert(0 == strcmp(orig_str, new_str));
+}
+
+
 static void
 test5 (void)
 {
@@ -150,6 +167,7 @@ test5 (void)
     assert(0 == strcmp(buf, "[12-12][10-10][8-6][4-3][1-1]"));
 
     lsquic_rechist_received(&rechist, 9, 0);
+    test_range_copy(&rechist, 0);
 
     rechist2str(&rechist, buf, sizeof(buf));
     assert(0 == strcmp(buf, "[12-12][10-6][4-3][1-1]"));
@@ -182,6 +200,8 @@ test_rand_sequence (unsigned seed, unsigned max)
         assert(st == REC_ST_OK || st == REC_ST_DUP);
     }
 
+    test_range_copy(&rechist, 1);
+
     range = lsquic_rechist_first(&rechist);
     assert(range);
     assert(range->high >= range->low);
@@ -246,6 +266,7 @@ test_shuffle_1000 (unsigned seed)
         st = lsquic_rechist_received(&rechist, els[i].packno, 0);
         assert(st == REC_ST_OK || st == REC_ST_DUP);
     }
+    test_range_copy(&rechist, 1);
 
     range = lsquic_rechist_first(&rechist);
     assert(range);