From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Tue, 16 Nov 2021 09:54:19 +0000 (+0100)
Subject: MINOR: quic: Wrong ACK range building
X-Git-Tag: v2.5-dev15~15
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0e25783d47edfc8efeb53a3c1a93aca270af1890;p=thirdparty%2Fhaproxy.git

MINOR: quic: Wrong ACK range building

When adding a range, if no "lower" range was present in the ack range root for
the packet number space concerned, we did not check if the new added range could
overlap the next one. This leaded haproxy to crash when encoding negative integer
when building ACK frames.
This bug was revealed thanks to "multi_packet_client_hello" QUIC tracker
test which makes a client send two first Initial packets out of order.
---

diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index d4511609dc..0407cc7168 100644
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -2592,6 +2592,8 @@ int quic_update_ack_ranges_list(struct quic_arngs *arngs,
 		new_node = quic_insert_new_range(arngs, ar);
 		if (!new_node)
 			return 0;
+
+		new = &new_node->first;
 	}
 	else {
 		struct quic_arng_node *le_ar =