From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Wed, 3 Aug 2022 10:49:30 +0000 (+0200)
Subject: BUG/MEDIUM: quic: Floating point exception in cubic_root()
X-Git-Tag: v2.7-dev3~25
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2c77a5eb8e614db4abdb335edd1872c6dc51ccf7;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: quic: Floating point exception in cubic_root()

It is illegal to call my_flsl() with 0 as parameter value. It is a UB.
This leaded cubic_root() to divide values by 0 at this line:

  x = 2 * x + (uint32_t)(val / ((uint64_t)x * (uint64_t)(x - 1)));

Thank you to Tristan971 for having reported this issue in GH #1808
and Willy for having spotted the root cause of this bug.

Must follow any cubic for QUIC backport (2.6).
---

diff --git a/src/quic_cc_cubic.c b/src/quic_cc_cubic.c
index be48b6fee0..dc6ef9fc0e 100644
--- a/src/quic_cc_cubic.c
+++ b/src/quic_cc_cubic.c
@@ -75,8 +75,7 @@ static uint32_t cubic_root(uint64_t val)
 		244,  245,  246,  248,  250,  251,  252,  254,
 	};
 
-	b = my_flsl(val);
-	if (b < 7) {
+	if (!val || (b = my_flsl(val)) < 7) {
 		/* val in [0..63] */
 		return ((uint32_t)v[(uint32_t)val] + 35) >> 6;
 	}