freebsd-ports/net/libutp/files/patch-CVE-2012-6129
Mikhail Teterin 8eb590e00c Add a patch fixing a long-standing security problem. Bump PORTREVISION.
PR:		196351
Differential Revision:	D1593
Submitted by:	Jan Beich
Security:	https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6129

While here, arrange for building a few of the small utilities bundled
with library, and install them along with another potentially useful
header-file.

Sponsored by:	http://libpipe.com/
2015-01-22 17:31:47 +00:00

52 lines
2.1 KiB
Text

Index: utp.cpp
===================================================================
--- utp.cpp (revision 13645)
+++ utp.cpp (revision 13646)
@@ -1487,6 +1487,8 @@ size_t UTPSocket::selective_ack_bytes(uint base, c
return acked_bytes;
}
+enum { MAX_EACK = 128 };
+
void UTPSocket::selective_ack(uint base, const byte *mask, byte len)
{
if (cur_window_packets == 0) return;
@@ -1499,7 +1501,7 @@ void UTPSocket::selective_ack(uint base, const byt
// resends is a stack of sequence numbers we need to resend. Since we
// iterate in reverse over the acked packets, at the end, the top packets
// are the ones we want to resend
- int resends[32];
+ int resends[MAX_EACK];
int nr = 0;
LOG_UTPV("0x%08x: Got EACK [%032b] base:%u", this, *(uint32*)mask, base);
@@ -1572,6 +1574,12 @@ void UTPSocket::selective_ack(uint base, const byt
if (((v - fast_resend_seq_nr) & ACK_NR_MASK) <= OUTGOING_BUFFER_MAX_SIZE &&
count >= DUPLICATE_ACKS_BEFORE_RESEND &&
duplicate_ack < DUPLICATE_ACKS_BEFORE_RESEND) {
+ // resends is a stack, and we're mostly interested in the top of it
+ // if we're full, just throw away the lower half
+ if (nr >= MAX_EACK - 2) {
+ memmove(resends, &resends[MAX_EACK/2], MAX_EACK/2 * sizeof(resends[0]));
+ nr -= MAX_EACK / 2;
+ }
resends[nr++] = v;
LOG_UTPV("0x%08x: no ack for %u", this, v);
} else {
@@ -1580,13 +1588,12 @@ void UTPSocket::selective_ack(uint base, const byt
}
} while (--bits >= -1);
- if (((base - 1 - fast_resend_seq_nr) & ACK_NR_MASK) < 256 &&
- count >= DUPLICATE_ACKS_BEFORE_RESEND &&
- duplicate_ack < DUPLICATE_ACKS_BEFORE_RESEND) {
+ if (((base - 1 - fast_resend_seq_nr) & ACK_NR_MASK) <= OUTGOING_BUFFER_MAX_SIZE &&
+ count >= DUPLICATE_ACKS_BEFORE_RESEND) {
// if we get enough duplicate acks to start
// resending, the first packet we should resend
// is base-1
- resends[nr++] = base - 1;
+ resends[nr++] = (base - 1) & ACK_NR_MASK;
} else {
LOG_UTPV("0x%08x: not resending %u count:%d dup_ack:%u fast_resend_seq_nr:%u",
this, base - 1, count, duplicate_ack, fast_resend_seq_nr);