mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 14:21:25 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: quic: Crash upon too big packets receipt

Browse Source 
This bug came with this commit:
    ("MINOR: quic: RX packets memory leak")
Too big packets were freed twice.
This commit is contained in:
Frédéric Lécaille 2021-09-23 07:33:20 +02:00 committed by Amaury Denoyelle
parent 3230bcfdc4
commit 865b07855e
1 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/xprt_quic.c
View File

@ -580,12 +580,15 @@ static void quic_trace(enum trace_level level, uint64_t mask, const struct trace
} }
if (mask & QUIC_EV_CONN_LPKT) { if (mask & QUIC_EV_CONN_LPKT) {
const struct quic_rx_packet *pkt = a2; const struct quic_rx_packet *pkt = a2;
const uint64_t *len = a3;
if (conn) if (conn)
chunk_appendf(&trace_buf, " xprt_ctx@%p qc@%p", conn->xprt_ctx, conn->qc); chunk_appendf(&trace_buf, " xprt_ctx@%p qc@%p", conn->xprt_ctx, conn->qc);
if (pkt) if (pkt)
chunk_appendf(&trace_buf, " pkt@%p type=0x%02x %s pkt->qc@%p", chunk_appendf(&trace_buf, " pkt@%p type=0x%02x %s pkt->qc@%p",
pkt, pkt->type, qc_pkt_long(pkt) ? "long" : "short", pkt->qc); pkt, pkt->type, qc_pkt_long(pkt) ? "long" : "short", pkt->qc);
if (len)
chunk_appendf(&trace_buf, " len=%llu", (ull)*len);
} }
} }
@ -4599,6 +4602,7 @@ static ssize_t quic_dgram_read(char *buf, size_t len, void *owner,
do { do {
int ret; int ret;
struct quic_rx_packet *pkt; struct quic_rx_packet *pkt;
size_t pkt_len;
pkt = pool_zalloc(pool_head_quic_rx_packet); pkt = pool_zalloc(pool_head_quic_rx_packet);
if (!pkt) if (!pkt)
@ -4606,16 +4610,12 @@ static ssize_t quic_dgram_read(char *buf, size_t len, void *owner,
quic_rx_packet_refinc(pkt); quic_rx_packet_refinc(pkt);
ret = func(&pos, end, pkt, &dgram_ctx, saddr); ret = func(&pos, end, pkt, &dgram_ctx, saddr);
if (ret == -1) {
size_t pkt_len;
pkt_len = pkt->len; pkt_len = pkt->len;
quic_rx_packet_refdec(pkt); quic_rx_packet_refdec(pkt);
if (ret == -1 && !pkt_len)
/* If the packet length could not be found, we cannot continue. */ /* If the packet length could not be found, we cannot continue. */
if (!pkt_len)
break; break;
}
quic_rx_packet_refdec(pkt);
} while (pos < end); } while (pos < end);
/* Increasing the received bytes counter by the UDP datagram length /* Increasing the received bytes counter by the UDP datagram length