From c6bec2a3afdd537a617fbd9e1ae88a50f81f689d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= Date: Mon, 24 Apr 2023 11:20:32 +0200 Subject: [PATCH] BUG/MINOR: quic: Possible leak during probing retransmissions qc_dgrams_retransmit() prepares two list of frames to be retransmitted into two datagrams. If the first datagram could not be sent, the TX buffer will be purged with the prepared packet and its frames, but this was not the case for the second list of frames. Must be backported in 2.7. --- src/quic_conn.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/quic_conn.c b/src/quic_conn.c index 6b66c223a..007afee58 100644 --- a/src/quic_conn.c +++ b/src/quic_conn.c @@ -4961,8 +4961,10 @@ static int qc_dgrams_retransmit(struct quic_conn *qc) TRACE_PROTO("Avail. ack eliciting frames", QUIC_EV_CONN_FRMLIST, qc, &frms2); if (!LIST_ISEMPTY(&frms1)) { aqel->pktns->tx.pto_probe = 1; - if (!qc_send_app_probing(qc, &frms1)) + if (!qc_send_app_probing(qc, &frms1)) { + qc_free_frm_list(&frms2, qc); goto leave; + } /* Put back unsent frames into their packet number spaces */ LIST_SPLICE(&aqel->pktns->tx.frms, &frms1);