From cd225da46ca47d3fc62ecc9012fc54dc6aa49b34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= Date: Wed, 22 Nov 2023 14:57:28 +0100 Subject: [PATCH] BUG/MINOR: quic: Possible leak of TX packets under heavy load This bug could be reproduced with -dMfail and detected added a counter of TX packet to the QUIC connection. When released calling quic_conn_release() the connection should have a null counter of TX packets. This was not always the case. This could occur during the handshake step: a first packet was built, then another one should have followed in the same datagram, but fail due to a memory allocation issue. As the datagram length and first TX packet were not written in the TX buffer, this latter could not really be purged by qc_purge_tx_buf() even if called. This bug occured only when building coalesced packets in the same datagram. To fix this, write the packet information (datagram length and first packet address) in the TX buffer before purging it. Must be backported as far as 2.6. --- src/quic_tx.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/quic_tx.c b/src/quic_tx.c index 4f4551b16..d4529fb1a 100644 --- a/src/quic_tx.c +++ b/src/quic_tx.c @@ -1139,6 +1139,8 @@ int qc_prep_hpkts(struct quic_conn *qc, struct buffer *buf, struct list *qels) must_ack, padding, probe, cc, &err); switch (err) { case -3: + if (first_pkt) + qc_txb_store(buf, dglen, first_pkt); qc_purge_tx_buf(qc, buf); goto leave; case -2: