BUG/MINOR: quic: Endless loop during retransmissions

qc_dgrams_retransmit() could reuse the same local list and could splice it two times to the packet number space list of frame to be send/resend. This creates a loop in this list and makes qc_build_frms() possibly endlessly loop when trying to build frames from the packet number space list of frames. Then haproxy aborts. This issue could be easily reproduced patching qc_build_frms() function to set <dlen> variable value to 0 after having built at least 10 CRYPTO frames and using ngtcp2 as client with 30% packet loss in both direction. Thank you to @gabrieltz for having reported this issue in GH #1903. Must be backported to 2.6.
2026-01-30 22:41:55 +01:00 · 2022-11-28 17:21:45 +01:00 · 2022-11-28 17:21:45 +01:00 · 7b5d9b1f03
commit 7b5d9b1f03
parent 2526a6aca5
1 changed files with 2 additions and 2 deletions
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@ -4243,10 +4243,10 @@ static void qc_dgrams_retransmit(struct quic_conn *qc)
 		int i;

 		if (hqel->pktns->flags & QUIC_FL_PKTNS_PROBE_NEEDED) {
-			struct list frms1 = LIST_HEAD_INIT(frms1);
-
 			hqel->pktns->tx.pto_probe = 0;
 			for (i = 0; i < QUIC_MAX_NB_PTO_DGRAMS; i++) {
+				struct list frms1 = LIST_HEAD_INIT(frms1);
+
 				qc_prep_fast_retrans(qc, hqel, &frms1, NULL);
 				TRACE_DEVEL("Avail. ack eliciting frames", QUIC_EV_CONN_FRMLIST, qc, &frms1);
 				if (!LIST_ISEMPTY(&frms1)) {