From: Frederic Lecaille Date: Thu, 17 Oct 2024 05:38:14 +0000 (+0200) Subject: BUG/MINOR: quic: avoid leaking post handshake frames X-Git-Tag: v3.1-dev11~114 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=19aa320f640f701544c3441787da1577a2479590;p=thirdparty%2Fhaproxy.git BUG/MINOR: quic: avoid leaking post handshake frames This bug came with this commit: f627b92 BUG/MEDIUM: quic: always validate sender address on 0-RTT If an error happens in quic_build_post_handshake_frames() during the code exexuted for th NEW_TOKEN frame allocation, some could leak because of the wrong label used to interrupt this function asap. Replace the "goto leave" by "goto err" to deallocated such frames to fix this issue. Must be backported as far as 2.9. --- diff --git a/src/quic_conn.c b/src/quic_conn.c index 9701eaab2e..5adf528b5c 100644 --- a/src/quic_conn.c +++ b/src/quic_conn.c @@ -462,7 +462,7 @@ int quic_stateless_reset_token_cpy(unsigned char *pos, size_t len, */ int quic_build_post_handshake_frames(struct quic_conn *qc) { - int ret = 0, max; + int ret = 0, max = 0; struct quic_enc_level *qel; struct quic_frame *frm, *frmbak; struct list frm_list = LIST_HEAD_INIT(frm_list); @@ -488,7 +488,7 @@ int quic_build_post_handshake_frames(struct quic_conn *qc) frm = qc_frm_alloc(QUIC_FT_NEW_TOKEN); if (!frm) { TRACE_ERROR("frame allocation error", QUIC_EV_CONN_IO_CB, qc); - goto leave; + goto err; } new_token_frm_len = @@ -496,7 +496,7 @@ int quic_build_post_handshake_frames(struct quic_conn *qc) sizeof(frm->new_token.data), &qc->peer_addr); if (!new_token_frm_len) { TRACE_ERROR("token generation failed", QUIC_EV_CONN_IO_CB, qc); - goto leave; + goto err; } BUG_ON(new_token_frm_len != sizeof(frm->new_token.data));