Skip to content

[DeepTest] Division by zero in OnDataAcknowledged NetStats event path #5836

New issue
New issue
Open
Bug
#5838
Open
[DeepTest] Division by zero in OnDataAcknowledged NetStats event path#5836
Bug
#5838
Assignees
saikat107copilot-swe-agent
Labels
HowFound: MSR
@saikat107

Description

@saikat107
saikat107
opened on Mar 2, 2026

Describe the bug

Location: src/core/cubic.c, line 701
Event.NETWORK_STATISTICS.Bandwidth = Cubic->CongestionWindow / Path->SmoothedRtt;

Root cause: Same division-by-zero pattern as #5833, but in the OnDataAcknowledged function's NetStatsEventEnabled path. If NetStatsEventEnabled is TRUE and an ACK is processed before SmoothedRtt is set, the same crash occurs.

Affected OS

  • Windows
  • Linux
  • macOS
  • Other (specify below)

Additional OS information

No response

MsQuic version

main

Steps taken to reproduce bug

  1. Add the following test in src/core/unittest/CubicTest.cpp
TEST(CubicTest, DeepTest_Bug_NetStatsEventDivByZero)
{
    QUIC_CONNECTION Connection;
    QUIC_SETTINGS_INTERNAL Settings{};
    Settings.InitialWindowPackets = 10;
    Settings.SendIdleTimeoutMs = 1000;

    InitializeMockConnection(Connection, 1280);
    Connection.Settings.NetStatsEventEnabled = TRUE;
    Connection.ClientCallbackHandler = DummyConnectionCallback;
    // SmoothedRtt is 0 by default

    CubicCongestionControlInitialize(&Connection.CongestionControl, &Settings);

    QUIC_CONGESTION_CONTROL_CUBIC* Cubic = &Connection.CongestionControl.Cubic;
    Cubic->BytesInFlight = 5000;

    QUIC_ACK_EVENT AckEvent;
    CxPlatZeroMemory(&AckEvent, sizeof(AckEvent));
    AckEvent.TimeNow = 1000000;
    AckEvent.LargestAck = 5;
    AckEvent.LargestSentPacketNumber = 10;
    AckEvent.NumRetransmittableBytes = 1000;
    AckEvent.NumTotalAckedRetransmittableBytes = 1000;
    AckEvent.SmoothedRtt = 0; // No RTT sample
    AckEvent.MinRtt = 0;
    AckEvent.MinRttValid = FALSE;
    AckEvent.AckedPackets = NULL;

    // This will crash with STATUS_INTEGER_DIVIDE_BY_ZERO
    // because Path->SmoothedRtt=0 and line 701 does: CongestionWindow / SmoothedRtt
    Connection.CongestionControl.QuicCongestionControlOnDataAcknowledged(
        &Connection.CongestionControl, &AckEvent);
}
  1. Build and run the test with filter CubicTest.DeepTest_Bug_NetStatsEventDivByZero

Expected behavior

Should not crash.

Actual outcome

STATUS_INTEGER_DIVIDE_BY_ZERO crash

Additional details

No response

Metadata

Metadata

Assignees

Labels

HowFound: MSR

Type

Bug

Projects

Transport Tracker

Status

No status

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions