mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-07 23:56:57 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: quic: Wrong packet refcount handling in qc_pkt_insert()

Browse Source 
The QUIC connection I/O handler qc_conn_io_cb() could be called just after
qc_pkt_insert() have inserted a packet in a its tree, and before qc_pkt_insert()
have incremented the reference counter to this packet. As qc_conn_io_cb()
decrement this counter, the packet could be released before qc_pkt_insert()
might increment the counter, leading to possible crashes when trying to do so.
So, let's make qc_pkt_insert() increment this counter before inserting the packet
it is tree. No need to lock anything for that.
This commit is contained in:
Frédéric Lécaille 2021-12-20 14:41:19 +01:00
parent f1d38cbe15
commit 2ce5acf7ed
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/xprt_quic.c
View File

@ -3610,10 +3610,10 @@ static int qc_pkt_may_rm_hp(struct quic_rx_packet *pkt,
static void qc_pkt_insert(struct quic_rx_packet *pkt, struct quic_enc_level *qel) static void qc_pkt_insert(struct quic_rx_packet *pkt, struct quic_enc_level *qel)
{ {
pkt->pn_node.key = pkt->pn; pkt->pn_node.key = pkt->pn;
quic_rx_packet_refinc(pkt);
HA_RWLOCK_WRLOCK(QUIC_LOCK, &qel->rx.pkts_rwlock); HA_RWLOCK_WRLOCK(QUIC_LOCK, &qel->rx.pkts_rwlock);
eb64_insert(&qel->rx.pkts, &pkt->pn_node); eb64_insert(&qel->rx.pkts, &pkt->pn_node);
HA_RWLOCK_WRUNLOCK(QUIC_LOCK, &qel->rx.pkts_rwlock); HA_RWLOCK_WRUNLOCK(QUIC_LOCK, &qel->rx.pkts_rwlock);
quic_rx_packet_refinc(pkt);
} }
/* Try to remove the header protection of <pkt> QUIC packet attached to <qc> /* Try to remove the header protection of <pkt> QUIC packet attached to <qc>