BUG/MINOR: quic: Endless loop during retransmissions

qc_dgrams_retransmit() could reuse the same local list and could splice it two
times to the packet number space list of frame to be send/resend. This creates a
loop in this list and makes qc_build_frms() possibly endlessly loop when trying
to build frames from the packet number space list of frames. Then haproxy aborts.

This issue could be easily reproduced patching qc_build_frms() function to set <dlen>
variable value to 0 after having built at least 10 CRYPTO frames and using ngtcp2
as client with 30% packet loss in both direction.

Thank you to @gabrieltz for having reported this issue in GH #1903.

Must be backported to 2.6.

diff --git a/src/quic_conn.c b/src/quic_conn.c
index 4edd5f9e00fadb37214dd9342aaf8bec4f844e28..d54c3b589b79850e868f8a4ab78379400e75fae4 100644 (file)
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -4243,10 +4243,10 @@ static void qc_dgrams_retransmit(struct quic_conn *qc)
                int i;
 
                if (hqel->pktns->flags & QUIC_FL_PKTNS_PROBE_NEEDED) {
-                       struct list frms1 = LIST_HEAD_INIT(frms1);
-
                        hqel->pktns->tx.pto_probe = 0;
                        for (i = 0; i < QUIC_MAX_NB_PTO_DGRAMS; i++) {
+                               struct list frms1 = LIST_HEAD_INIT(frms1);
+
                                qc_prep_fast_retrans(qc, hqel, &frms1, NULL);
                                TRACE_DEVEL("Avail. ack eliciting frames", QUIC_EV_CONN_FRMLIST, qc, &frms1);
                                if (!LIST_ISEMPTY(&frms1)) {