From: Jordan Lee <jordan@transmissionbt.com>
Date: Mon, 14 Mar 2011 02:39:11 +0000 (+0000)
Subject: (trunk libT) fix array-bounds-read in the UDP tracker code when an announce or scrape... 
X-Git-Tag: 2.30b1~127
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=11e0883ee454f1baf172834c0fbae0202c7261b2;p=transmission

(trunk libT) fix array-bounds-read in the UDP tracker code when an announce or scrape request times out
---

diff --git a/libtransmission/announcer-udp.c b/libtransmission/announcer-udp.c
index c74160086..a81a2813c 100644
--- a/libtransmission/announcer-udp.c
+++ b/libtransmission/announcer-udp.c
@@ -59,7 +59,7 @@ tau_sendto( tr_session * session,
     else
         sockfd = -1;
 
-    if( sockfd <  0 ) {
+    if( sockfd < 0 ) {
         errno = EAFNOSUPPORT;
         return -1;
     }
@@ -560,7 +560,9 @@ tau_tracker_upkeep( struct tau_tracker * tracker )
         else if( req->sent_at && ( req->sent_at + TAU_REQUEST_TTL < now ) ) {
             tau_announce_request_fail( tracker->session, req, FALSE, TRUE, NULL );
             tau_announce_request_free( req );
-            tr_ptrArrayRemove( reqs, i-- );
+            tr_ptrArrayRemove( reqs, i );
+            --i;
+            --n;
         }
     }
 
@@ -577,7 +579,9 @@ tau_tracker_upkeep( struct tau_tracker * tracker )
         else if( req->sent_at && ( req->sent_at + TAU_REQUEST_TTL < now ) ) {
             tau_scrape_request_fail( tracker->session, req, FALSE, TRUE, NULL );
             tau_scrape_request_free( req );
-            tr_ptrArrayRemove( reqs, i-- );
+            tr_ptrArrayRemove( reqs, i );
+            --i;
+            --n;
         }
     }
 }