Care must be taken when reading/writing offset for STREAM frames. A
special OFF bit is set in the frame type to indicate that the field is
present. If not set, it is assumed that offset is 0.
To represent this, offset field of quic_stream structure must always be
initialized with a valid value in regards with its frame type OFF bit.
The previous code has no bug in part because pool_zalloc() is used to
allocate quic_frame instances. To be able to use pool_alloc(), offset is
always explicitely set to 0. If a non-null value is used, OFF bit is set
at the same occasion. A new BUG_ON() statement is added on frame builder
to ensure that the caller has set OFF bit if offset is non null.
This should be backported up to 2.7.
frm->stream.id = qcs->id;
frm->stream.buf = out;
frm->stream.data = (unsigned char *)b_peek(out, head);
+ frm->stream.offset.key = 0;
/* FIN is positioned only when the buffer has been totally emptied. */
if (fin)
new_cf->stream.stream = cf->stream.stream;
new_cf->stream.buf = cf->stream.buf;
new_cf->stream.id = cf->stream.id;
- if (cf->type & QUIC_STREAM_FRAME_TYPE_OFF_BIT)
- new_cf->stream.offset = cf->stream.offset;
+ new_cf->stream.offset = cf->stream.offset;
new_cf->stream.len = dlen;
new_cf->type |= QUIC_STREAM_FRAME_TYPE_LEN_BIT;
/* FIN bit reset */
struct quic_stream *stream = &frm->stream;
const unsigned char *wrap;
+ /* Caller must set OFF bit if and only if a non-null offset is used. */
+ BUG_ON(!!(frm->type & QUIC_STREAM_FRAME_TYPE_OFF_BIT) !=
+ !!stream->offset.key);
+
if (!quic_enc_int(buf, end, stream->id) ||
((frm->type & QUIC_STREAM_FRAME_TYPE_OFF_BIT) && !quic_enc_int(buf, end, stream->offset.key)) ||
((frm->type & QUIC_STREAM_FRAME_TYPE_LEN_BIT) &&
projects / thirdparty / haproxy.git / commitdiff
