BUG/MEDIUM: quic: Possible crashes when sending too short Initial packets

This may happen during handshakes when Handshake packets cannot be coalesced
to a first Initial packet because of TX frame allocation failures (from
qc_build_frms()). This leads too short (not padded) Initial packets to be sent.
This is detected by a BUG_ON() in qc_send_ppkts().

To avoid this an Handshake packet without ack-eliciting frames which should have
been built by qc_build_frms() is built.

Must be backported as far as 2.6.

diff --git a/src/quic_tx.c b/src/quic_tx.c
index 5d343600d583c0a3d657ef9acf984dd433bb578e..0a0e4bc79922b442966af8f052337fdba8a4235e 100644 (file)
--- a/src/quic_tx.c
+++ b/src/quic_tx.c
@@ -2283,11 +2283,17 @@ static int qc_do_build_pkt(unsigned char *pos, const unsigned char *end,
                                   end - pos, &len_frms, pos - beg, qel, qc)) {
                        TRACE_PROTO("Not enough room", QUIC_EV_CONN_TXPKT,
                                    qc, NULL, NULL, &room);
+                       if (padding) {
+                               len_frms = 0;
+                               goto comp_pkt_len;
+                       }
+
                        if (!ack_frm_len && !qel->pktns->tx.pto_probe)
                                goto no_room;
                }
        }
 
+ comp_pkt_len:
        /* Length (of the remaining data). Must not fail because, the buffer size
         * has been checked above. Note that we have reserved QUIC_TLS_TAG_LEN bytes
         * for the encryption tag. It must be taken into an account for the length