Describe the bug
Some rare memory pool corruption inside msquic was noticed and it appears QuicConnFlushRecv's implementation may be a problem.
in QuicConnFlushRecv, we noticed this branch of code,
|
ReceiveQueue = Connection->ReceiveQueue; |
|
if (Connection->ReceiveQueueCount > QUIC_MAX_RECEIVE_FLUSH_COUNT) { |
|
FlushedAll = FALSE; |
|
Connection->ReceiveQueueCount -= QUIC_MAX_RECEIVE_FLUSH_COUNT; |
|
QUIC_RX_PACKET* Tail = Connection->ReceiveQueue; |
|
ReceiveQueueCount = 0; |
|
ReceiveQueueByteCount = 0; |
|
while (++ReceiveQueueCount < QUIC_MAX_RECEIVE_FLUSH_COUNT) { |
|
ReceiveQueueByteCount += Tail->BufferLength; |
|
Tail = Connection->ReceiveQueue; |
|
} |
|
Connection->ReceiveQueueByteCount -= ReceiveQueueByteCount; |
|
Connection->ReceiveQueue = (QUIC_RX_PACKET*)Tail->Next; |
|
Tail->Next = NULL; |
|
} else { |
We believe it is supposed to,
- Take the first
QUIC_MAX_RECEIVE_FLUSH_COUNT packets from recvQ
- Count the number of bytes we took from recvQ
- Update
Connection->ReceiveQueue to the remaining packets, update Connection->ReceiveQueueByteCount to the total bytes in remaining packets
- Call
QuicConnRecvDatagrams with the portion of the list we took from recvQ
However, setting Tail to Connection->ReceiveQueue in each while loop body means we are always looking at the first packet,
|
Tail = Connection->ReceiveQueue; |
- We will always detach the head node in recvQ, and miscalculate new
Connection->ReceiveQueueByteCount
- We will always call
QuicConnRecvDatagrams with the single head packet in recvQ, but ReceiveQueueCount is the size of first-packet-length multiplied by 100 (QUIC_MAX_RECEIVE_FLUSH_COUNT).
This line is a no-op today.
Affected OS
Additional OS information
No response
MsQuic version
main
Steps taken to reproduce bug
memory pool corruption resulted in crashes later down the line (an internal msquic queue has an invalid head node)
Expected behavior
QuicConnFlushRecv should not malfunction when more than QUIC_MAX_RECEIVE_FLUSH_COUNT number of datagrams are queued up in recvQ
Actual outcome
memory pool corruption
Additional details
No response
Describe the bug
Some rare memory pool corruption inside msquic was noticed and it appears QuicConnFlushRecv's implementation may be a problem.
in
QuicConnFlushRecv, we noticed this branch of code,msquic/src/core/connection.c
Lines 5954 to 5968 in 37d6673
We believe it is supposed to,
QUIC_MAX_RECEIVE_FLUSH_COUNTpackets from recvQConnection->ReceiveQueueto the remaining packets, updateConnection->ReceiveQueueByteCountto the total bytes in remaining packetsQuicConnRecvDatagramswith the portion of the list we took from recvQHowever, setting
TailtoConnection->ReceiveQueuein each while loop body means we are always looking at the first packet,msquic/src/core/connection.c
Line 5963 in 37d6673
Connection->ReceiveQueueByteCountQuicConnRecvDatagramswith the single head packet in recvQ, butReceiveQueueCountis the size of first-packet-length multiplied by 100 (QUIC_MAX_RECEIVE_FLUSH_COUNT).This line is a no-op today.
Affected OS
Additional OS information
No response
MsQuic version
main
Steps taken to reproduce bug
memory pool corruption resulted in crashes later down the line (an internal msquic queue has an invalid head node)
Expected behavior
QuicConnFlushRecvshould not malfunction when more thanQUIC_MAX_RECEIVE_FLUSH_COUNTnumber of datagrams are queued up in recvQActual outcome
memory pool corruption
Additional details
No response