From 865b07855e18b8deed9af57f8a1aeac20dc567ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= Date: Thu, 23 Sep 2021 07:33:20 +0200 Subject: [PATCH] MINOR: quic: Crash upon too big packets receipt This bug came with this commit: ("MINOR: quic: RX packets memory leak") Too big packets were freed twice. --- src/xprt_quic.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/src/xprt_quic.c b/src/xprt_quic.c index 98fef556a..826538c61 100644 --- a/src/xprt_quic.c +++ b/src/xprt_quic.c @@ -580,12 +580,15 @@ static void quic_trace(enum trace_level level, uint64_t mask, const struct trace } if (mask & QUIC_EV_CONN_LPKT) { const struct quic_rx_packet *pkt = a2; + const uint64_t *len = a3; if (conn) chunk_appendf(&trace_buf, " xprt_ctx@%p qc@%p", conn->xprt_ctx, conn->qc); if (pkt) chunk_appendf(&trace_buf, " pkt@%p type=0x%02x %s pkt->qc@%p", pkt, pkt->type, qc_pkt_long(pkt) ? "long" : "short", pkt->qc); + if (len) + chunk_appendf(&trace_buf, " len=%llu", (ull)*len); } } @@ -4599,6 +4602,7 @@ static ssize_t quic_dgram_read(char *buf, size_t len, void *owner, do { int ret; struct quic_rx_packet *pkt; + size_t pkt_len; pkt = pool_zalloc(pool_head_quic_rx_packet); if (!pkt) @@ -4606,16 +4610,12 @@ static ssize_t quic_dgram_read(char *buf, size_t len, void *owner, quic_rx_packet_refinc(pkt); ret = func(&pos, end, pkt, &dgram_ctx, saddr); - if (ret == -1) { - size_t pkt_len; - - pkt_len = pkt->len; - quic_rx_packet_refdec(pkt); - /* If the packet length could not be found, we cannot continue. */ - if (!pkt_len) - break; - } + pkt_len = pkt->len; quic_rx_packet_refdec(pkt); + if (ret == -1 && !pkt_len) + /* If the packet length could not be found, we cannot continue. */ + break; + } while (pos < end); /* Increasing the received bytes counter by the UDP datagram length