Opened 3 years ago
#6164 new Bug
`prefetchCount` can become less than zero.
| Reported by: | cfpp2p | Owned by: | jordan |
|---|---|---|---|
| Priority: | Normal | Milestone: | None Set |
| Component: | libtransmission | Version: | 2.92 |
| Severity: | Normal | Keywords: | |
| Cc: |
Description
In peer-msgs.c fillOutputBuffer() prefetchCount can become less than zero. In peerMadeRequest() there is:
bool allow = false;
if (!reqIsValid)
dbgmsg (msgs, "rejecting an invalid request.");
else if (!clientHasPiece)
dbgmsg (msgs, "rejecting request for a piece we don't have.");
else if (peerIsChoked)
dbgmsg (msgs, "rejecting request from choked peer");
else if (msgs->peer.pendingReqsToClient + 1 >= REQQ)
dbgmsg (msgs, "rejecting request ... reqq is full");
else
allow = true;
if (allow) {
msgs->peerAskedFor[msgs->peer.pendingReqsToClient++] = *req;
prefetchPieces (msgs);
}
But then! -- quote
So, it appears that the bsearch() call is returning NULL somehow...
One example of how the problem happens:
peer-msgs.c
1.) prefetchCount is at zero
2.) a single and properly usable peer request received by peerMadeRequest()
.....2b.) pendingReqsToClient++
3.) prefetchPieces() is called and doesn't increment prefetchCount (per r11313)
4.) in fillOutputBuffer() popNextRequest() results in true
.....line 2023 --msgs->prefetchCount;
5.) --msgs->prefetchCount and its value is now set to -1
6.) prefetchPieces() is called with a prefetchCount of -1
resulting in invalid access req
Fix is change line 2023 peer-msgs.c to:
if (msgs->prefetchCount > 0) --msgs->prefetchCount;
