From 7b5d9b1f03cef92bda6cd2a3be93b9bbbfd61734 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= <flecaille@haproxy.com>
Date: Mon, 28 Nov 2022 17:21:45 +0100
Subject: [PATCH] BUG/MINOR: quic: Endless loop during retransmissions

qc_dgrams_retransmit() could reuse the same local list and could splice it two
times to the packet number space list of frame to be send/resend. This creates a
loop in this list and makes qc_build_frms() possibly endlessly loop when trying
to build frames from the packet number space list of frames. Then haproxy aborts.

This issue could be easily reproduced patching qc_build_frms() function to set <dlen>
variable value to 0 after having built at least 10 CRYPTO frames and using ngtcp2
as client with 30% packet loss in both direction.

Thank you to @gabrieltz for having reported this issue in GH #1903.

Must be backported to 2.6.
---
 src/quic_conn.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/quic_conn.c b/src/quic_conn.c
index 4edd5f9e0..d54c3b589 100644
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -4243,10 +4243,10 @@ static void qc_dgrams_retransmit(struct quic_conn *qc)
 		int i;
 
 		if (hqel->pktns->flags & QUIC_FL_PKTNS_PROBE_NEEDED) {
-			struct list frms1 = LIST_HEAD_INIT(frms1);
-
 			hqel->pktns->tx.pto_probe = 0;
 			for (i = 0; i < QUIC_MAX_NB_PTO_DGRAMS; i++) {
+				struct list frms1 = LIST_HEAD_INIT(frms1);
+
 				qc_prep_fast_retrans(qc, hqel, &frms1, NULL);
 				TRACE_DEVEL("Avail. ack eliciting frames", QUIC_EV_CONN_FRMLIST, qc, &frms1);
 				if (!LIST_ISEMPTY(&frms1)) {