Opened 3 years ago

#6164 new Bug

`prefetchCount` can become less than zero.

Reported by: cfpp2p Owned by: jordan
Priority: Normal Milestone: None Set
Component: libtransmission Version: 2.92
Severity: Normal Keywords:


In peer-msgs.c fillOutputBuffer() prefetchCount can become less than zero. In peerMadeRequest() there is:

    bool allow = false;

    if (!reqIsValid)
        dbgmsg (msgs, "rejecting an invalid request.");
    else if (!clientHasPiece)
        dbgmsg (msgs, "rejecting request for a piece we don't have.");
    else if (peerIsChoked)
        dbgmsg (msgs, "rejecting request from choked peer");
    else if (msgs->peer.pendingReqsToClient + 1 >= REQQ)
        dbgmsg (msgs, "rejecting request ... reqq is full");
        allow = true;

    if (allow) {
        msgs->peerAskedFor[msgs->peer.pendingReqsToClient++] = *req;
        prefetchPieces (msgs);

But then! -- quote

So, it appears that the bsearch() call is returning NULL somehow...


One example of how the problem happens:
1.) prefetchCount is at zero
2.) a single and properly usable peer request received by peerMadeRequest()
.....2b.) pendingReqsToClient++
3.) prefetchPieces() is called and doesn't increment prefetchCount (per r11313)
4.) in fillOutputBuffer() popNextRequest() results in true
.....line 2023 --msgs->prefetchCount;
5.) --msgs->prefetchCount and its value is now set to -1
6.) prefetchPieces() is called with a prefetchCount of -1

resulting in invalid access req

Fix is change line 2023 peer-msgs.c to:

if (msgs->prefetchCount > 0) --msgs->prefetchCount;

Change History (0)

Note: See TracTickets for help on using tickets.