From d085f9ea664ea7abf2e54c9754cbfcae9e80cbc5 Mon Sep 17 00:00:00 2001
From: zzz <zzz@mail.i2p>
Date: Sun, 26 Oct 2014 22:09:38 +0000
Subject: [PATCH] SSU: Fix ACK Sender thread dying on corrupt packet

---
 history.txt                                        |  6 ++++++
 router/java/src/net/i2p/router/RouterVersion.java  |  2 +-
 .../router/transport/udp/InboundMessageState.java  | 14 ++++++++++----
 3 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/history.txt b/history.txt
index 18dd3784e..df2d610ee 100644
--- a/history.txt
+++ b/history.txt
@@ -1,3 +1,9 @@
+2014-10-26 zzz
+ * SSU: Fix ACK Sender thread dying on corrupt packet
+
+2014-10-24 zzz
+ * i2ptunnel: Fix description entered via wizard
+
 2014-10-23 zzz
  * SessionKeyManager:
    - Raise inbound limit
diff --git a/router/java/src/net/i2p/router/RouterVersion.java b/router/java/src/net/i2p/router/RouterVersion.java
index 25340f779..421ff4f63 100644
--- a/router/java/src/net/i2p/router/RouterVersion.java
+++ b/router/java/src/net/i2p/router/RouterVersion.java
@@ -18,7 +18,7 @@ public class RouterVersion {
     /** deprecated */
     public final static String ID = "Monotone";
     public final static String VERSION = CoreVersion.VERSION;
-    public final static long BUILD = 15;
+    public final static long BUILD = 16;
 
     /** for example "-test" */
     public final static String EXTRA = "-rc";
diff --git a/router/java/src/net/i2p/router/transport/udp/InboundMessageState.java b/router/java/src/net/i2p/router/transport/udp/InboundMessageState.java
index fcaae36dd..8c20dba17 100644
--- a/router/java/src/net/i2p/router/transport/udp/InboundMessageState.java
+++ b/router/java/src/net/i2p/router/transport/udp/InboundMessageState.java
@@ -72,10 +72,14 @@ class InboundMessageState implements CDQEntry {
         _log = ctx.logManager().getLog(InboundMessageState.class);
         _messageId = messageId;
         _from = from;
-        if (data.readMessageIsLast(dataFragment))
-            _fragments = new ByteArray[1 + data.readMessageFragmentNum(dataFragment)];
-        else
+        if (data.readMessageIsLast(dataFragment)) {
+            int num = 1 + data.readMessageFragmentNum(dataFragment);
+            if (num > MAX_FRAGMENTS)
+                throw new DataFormatException("corrupt - too many fragments: " + num);
+            _fragments = new ByteArray[num];
+        } else {
             _fragments = new ByteArray[MAX_FRAGMENTS];
+        }
         _lastFragment = -1;
         _completeSize = -1;
         _receiveBegin = ctx.clock().now();
@@ -222,8 +226,10 @@ class InboundMessageState implements CDQEntry {
         return _completeSize;
     }
 
+    /** FIXME synch here or PeerState.fetchPartialACKs() */
     public ACKBitfield createACKBitfield() {
-        int sz = (_lastFragment >= 0) ? _lastFragment + 1 : _fragments.length;
+        int last = _lastFragment;
+        int sz = (last >= 0) ? last + 1 : _fragments.length;
         return new PartialBitfield(_messageId, _fragments, sz);
     }