mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-10 09:07:02 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MINOR: quic: Frames added to packets even if not built.

Browse Source 
Several frames could remain as not build into <frm_list> built by qc_build_frms()
after having stopped at the first building error. So only one frame was reinserted in
the frame list passed as parameter to qc_do_build_pkt(). Then <frm_list> was
spliced to the packet frame list even its frames were not built, nor attached to
any packet. Such frames had their ->pkt member set to NULL, but considered as
built, then sent leading to a crash in qc_release_frm() where ->pkt is dereferenced.

This issue was again reported by useful traces provided by Tristan in GH #1808.

Must be backported to 2.6.
This commit is contained in:
Frédéric Lécaille 2022-08-27 15:51:30 +02:00
parent e35463c767
commit 149c531fa1
1 changed files with 2 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/xprt_quic.c
View File

@ -6806,14 +6806,12 @@ static int qc_do_build_pkt(unsigned char *pos, const unsigned char *end,
ssize_t room = end - pos; ssize_t room = end - pos;
TRACE_DEVEL("Not enough room", QUIC_EV_CONN_TXPKT, TRACE_DEVEL("Not enough room", QUIC_EV_CONN_TXPKT,
qc, NULL, NULL, &room); qc, NULL, NULL, &room);
/* TODO: this should not have happened except if we /* Note that <cf> was added from <frms> to <frm_list> list by
* are limited by the congestion control.
* Note that <cf> was added from <frm_list> to <frms> list by
* qc_build_frms(). * qc_build_frms().
*/ */
LIST_DELETE(&cf->list); LIST_DELETE(&cf->list);
LIST_INSERT(frms, &cf->list); LIST_INSERT(frms, &cf->list);
break; continue;
} }
quic_tx_packet_refinc(pkt); quic_tx_packet_refinc(pkt);