(trunk libT) fix array-bounds-read in the UDP tracker code when an announce or scrape...

author Jordan Lee <jordan@transmissionbt.com>

Mon, 14 Mar 2011 02:39:11 +0000 (02:39 +0000)

committer Jordan Lee <jordan@transmissionbt.com>

Mon, 14 Mar 2011 02:39:11 +0000 (02:39 +0000)
author Jordan Lee <jordan@transmissionbt.com>
Mon, 14 Mar 2011 02:39:11 +0000 (02:39 +0000)
committer Jordan Lee <jordan@transmissionbt.com>
Mon, 14 Mar 2011 02:39:11 +0000 (02:39 +0000)
diff --git a/libtransmission/announcer-udp.c b/libtransmission/announcer-udp.c

index c74160086ebb02d23c20da121cead7acaf04423a..a81a2813ca20097c3ee74c7ae8c3d2dfacd63f54 100644 (file)
--- a/libtransmission/announcer-udp.c
+++ b/libtransmission/announcer-udp.c
@@ -59,7 +59,7 @@ tau_sendto( tr_session * session,
      else
          sockfd = -1;
  
-    if( sockfd <  0 ) {
+    if( sockfd < 0 ) {
          errno = EAFNOSUPPORT;
          return -1;
      }
@@ -560,7 +560,9 @@ tau_tracker_upkeep( struct tau_tracker * tracker )
          else if( req->sent_at && ( req->sent_at + TAU_REQUEST_TTL < now ) ) {
              tau_announce_request_fail( tracker->session, req, FALSE, TRUE, NULL );
              tau_announce_request_free( req );
-            tr_ptrArrayRemove( reqs, i-- );
+            tr_ptrArrayRemove( reqs, i );
+            --i;
+            --n;
          }
      }
  
@@ -577,7 +579,9 @@ tau_tracker_upkeep( struct tau_tracker * tracker )
          else if( req->sent_at && ( req->sent_at + TAU_REQUEST_TTL < now ) ) {
              tau_scrape_request_fail( tracker->session, req, FALSE, TRUE, NULL );
              tau_scrape_request_free( req );
-            tr_ptrArrayRemove( reqs, i-- );
+            tr_ptrArrayRemove( reqs, i );
+            --i;
+            --n;
          }
      }
  }
author	Jordan Lee <jordan@transmissionbt.com>
	Mon, 14 Mar 2011 02:39:11 +0000 (02:39 +0000)
committer	Jordan Lee <jordan@transmissionbt.com>
	Mon, 14 Mar 2011 02:39:11 +0000 (02:39 +0000)