Fix bug in mempool get_transaction_stats histogram calculation
The 98th percentile position in the agebytes map was incorrectly calculated: it assumed the transactions in the mempool all have unique timestamps at second-granularity. This commit fixes this by correctly finding the right cumulative number of transactions in the map suffix. This bug could lead to an out-of-bounds write in the rare case that all transactions in the mempool were received (and added to the mempool) at a rate of at least 50 transactions per second. (More specifically, the number of *unique* receive_time values, which have second- granularity, must be at most 2% of the number of transactions in the mempool for this crash to trigger.) If this condition is satisfied, 'it' points to *before* the agebytes map, 'delta' gets a nonsense value, and the value of 'i' in the first stats.histo-filling loop will be out of bounds of stats.histo.
This commit is contained in:
parent
85014813cf
commit
6bbc646e6f
|
@ -747,7 +747,14 @@ namespace cryptonote
|
||||||
* the first 9 bins, drop final 2% in last bin.
|
* the first 9 bins, drop final 2% in last bin.
|
||||||
*/
|
*/
|
||||||
it = agebytes.end();
|
it = agebytes.end();
|
||||||
for (size_t n=0; n <= end; n++, it--);
|
size_t cumulative_num = 0;
|
||||||
|
/* Since agebytes is not empty and end is nonzero, the
|
||||||
|
* below loop can always run at least once.
|
||||||
|
*/
|
||||||
|
do {
|
||||||
|
--it;
|
||||||
|
cumulative_num += it->second.txs;
|
||||||
|
} while (it != agebytes.begin() && cumulative_num < end);
|
||||||
stats.histo_98pc = it->first;
|
stats.histo_98pc = it->first;
|
||||||
factor = 9;
|
factor = 9;
|
||||||
delta = it->first;
|
delta = it->first;
|
||||||
|
|
Loading…
Reference in New Issue