From 30ca93fceca822022b3ebd83c257cba0a93f39aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miko=C5=82aj=20Ma=C5=82ecki?= <mmalecki@haivision.com>
Date: Tue, 24 Nov 2020 09:23:08 +0100
Subject: [PATCH] [core] Fix: check incoming ACK value in case of a rogue peer

---
 srtcore/core.cpp | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/srtcore/core.cpp b/srtcore/core.cpp
index ab8f559fe..79419ff8e 100644
--- a/srtcore/core.cpp
+++ b/srtcore/core.cpp
@@ -8358,6 +8358,18 @@ void CUDT::processCtrlAck(const CPacket &ctrlpkt, const steady_clock::time_point
     const int32_t* ackdata       = (const int32_t*)ctrlpkt.m_pcData;
     const int32_t  ackdata_seqno = ackdata[ACKD_RCVLASTACK];
 
+    // Check the value of ACK in case when it was some rogue peer
+    if (ackdata_seqno < 0)
+    {
+        // This embraces all cases when the most significant bit is set,
+        // as the variable is of a signed type. So, SRT_SEQNO_NONE is
+        // included, but it also triggers for any other kind of invalid value.
+        // This check MUST BE DONE before making any operation on this number.
+        LOGC(inlog.Error, log << CONID() << "ACK: IPE/EPE: received invalid ACK value: " << ackdata_seqno
+                << " " << std::hex << ackdata_seqno << " (IGNORED)");
+        return;
+    }
+
     const bool isLiteAck = ctrlpkt.getLength() == (size_t)SEND_LITE_ACK;
     HLOGC(inlog.Debug,
           log << CONID() << "ACK covers: " << m_iSndLastDataAck << " - " << ackdata_seqno << " [ACK=" << m_iSndLastAck