From 5b4b4c05ff06b866b90b0df9b2be2ed28e606f16 Mon Sep 17 00:00:00 2001
From: fanxb <fxb_mail@163.com>
Date: Fri, 17 Jun 2022 16:19:43 +0800
Subject: quic:fix crash rx_fifo full or grow

if when the rx_fifo grows, svm_fifo_enqueue() return -4,
stream_data->app_rx_data_len += rlen type conversion occurs,
Finally,stream->recvstate.data_off calculation is wrong.

Type:fix

Signed-off-by: fanxb <fxb_mail@163.com>
Change-Id: Iae11f0c453f32d836f4148d70e3b121545a53a90
---
 src/plugins/quic/quic.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'src/plugins/quic')

diff --git a/src/plugins/quic/quic.c b/src/plugins/quic/quic.c
index 3655f9538b8..26113066014 100644
--- a/src/plugins/quic/quic.c
+++ b/src/plugins/quic/quic.c
@@ -876,6 +876,14 @@ quic_on_receive (quicly_stream_t * stream, size_t off, const void *src,
     {
       /* Streams live on the same thread so (f, stream_data) should stay consistent */
       rlen = svm_fifo_enqueue (f, len, (u8 *) src);
+      if (PREDICT_FALSE (rlen < 0))
+	{
+	  /*
+	   * drop, fifo full
+	   * drop, fifo grow
+	   */
+	  return;
+	}
       QUIC_DBG (3, "Session [idx %u, app_wrk %u, ti %u, rx-fifo 0x%llx]: "
 		"Enqueuing %u (rlen %u) at off %u in %u space, ",
 		stream_session->session_index,
@@ -898,6 +906,14 @@ quic_on_receive (quicly_stream_t * stream, size_t off, const void *src,
       rlen = svm_fifo_enqueue_with_offset (f,
 					   off - stream_data->app_rx_data_len,
 					   len, (u8 *) src);
+      if (PREDICT_FALSE (rlen < 0))
+	{
+	  /*
+	   * drop, fifo full
+	   * drop, fifo grow
+	   */
+	  return;
+	}
       QUIC_ASSERT (rlen == 0);
     }
   return;
-- 
cgit 1.2.3-korg