From: Frédéric Lécaille Date: Thu, 23 Jun 2022 16:00:37 +0000 (+0200) Subject: BUG/MAJOR: quic: Big RX dgrams leak when fulfilling a buffer X-Git-Tag: v2.7-dev1~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=19ef6369b5539daa9da63195df630b08e4b0cccd;p=thirdparty%2Fhaproxy.git BUG/MAJOR: quic: Big RX dgrams leak when fulfilling a buffer When entering quic_sock_fd_iocb() I/O handler which is responsible of recvfrom() datagrams, the first thing which is done it to try to reuse a dgram object containing metadata about the received datagrams which has been consumed by the connection thread. If this object could not be used for any reason, so when we "goto out" of this function, we must release the memory allocated for this objet, if not it will leak. Most of the time, this happened when we fulfilled a buffer as reported in GH #1749 by Tristan. This is why we added a pool_free() call just before the out label. We mark as NULL when it successfully could be used. Thank you for Tristan and Willy for their participation on this issue. Must be backported to 2.6. --- diff --git a/src/quic_sock.c b/src/quic_sock.c index 4444ab8587..090cec1bb5 100644 --- a/src/quic_sock.c +++ b/src/quic_sock.c @@ -278,6 +278,7 @@ void quic_sock_fd_iocb(int fd) BUG_ON(!l); + new_dgram = NULL; if (!l) return; @@ -290,8 +291,7 @@ void quic_sock_fd_iocb(int fd) buf = &rxbuf->buf; - new_dgram = NULL; - /* Remove all consumed datagrams of this buffer */ + /* Try to reuse an existing dgram */ list_for_each_entry_safe(dgram, dgramp, &rxbuf->dgrams, list) { if (HA_ATOMIC_LOAD(&dgram->buf)) break; @@ -300,8 +300,6 @@ void quic_sock_fd_iocb(int fd) b_del(buf, dgram->len); if (!new_dgram) new_dgram = dgram; - else - pool_free(pool_head_quic_dgram, dgram); } params = &l->bind_conf->quic_params; @@ -349,7 +347,9 @@ void quic_sock_fd_iocb(int fd) /* If wrong, consume this datagram */ b_del(buf, ret); } + new_dgram = NULL; out: + pool_free(pool_head_quic_dgram, new_dgram); MT_LIST_APPEND(&l->rx.rxbuf_list, &rxbuf->mt_list); }