Opened 5 years ago
#6164 new Bug
`prefetchCount` can become less than zero.
Reported by: | cfpp2p | Owned by: | jordan |
---|---|---|---|
Priority: | Normal | Milestone: | None Set |
Component: | libtransmission | Version: | 2.92 |
Severity: | Normal | Keywords: | |
Cc: |
Description
In peer-msgs.c fillOutputBuffer() prefetchCount can become less than zero. In peerMadeRequest() there is:
bool allow = false; if (!reqIsValid) dbgmsg (msgs, "rejecting an invalid request."); else if (!clientHasPiece) dbgmsg (msgs, "rejecting request for a piece we don't have."); else if (peerIsChoked) dbgmsg (msgs, "rejecting request from choked peer"); else if (msgs->peer.pendingReqsToClient + 1 >= REQQ) dbgmsg (msgs, "rejecting request ... reqq is full"); else allow = true; if (allow) { msgs->peerAskedFor[msgs->peer.pendingReqsToClient++] = *req; prefetchPieces (msgs); }
But then! -- quote
So, it appears that the bsearch() call is returning NULL somehow...
One example of how the problem happens:
peer-msgs.c
1.) prefetchCount is at zero
2.) a single and properly usable peer request received by peerMadeRequest()
.....2b.) pendingReqsToClient++
3.) prefetchPieces() is called and doesn't increment prefetchCount (per r11313)
4.) in fillOutputBuffer() popNextRequest() results in true
.....line 2023 --msgs->prefetchCount;
5.) --msgs->prefetchCount and its value is now set to -1
6.) prefetchPieces() is called with a prefetchCount of -1
resulting in invalid access req
Fix is change line 2023 peer-msgs.c to:
if (msgs->prefetchCount > 0) --msgs->prefetchCount;