From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Fri, 8 Nov 2024 11:40:29 +0000 (+0100)
Subject: BUG/MEDIUM: quic: prevent crash due to CRYPTO parsing error
X-Git-Tag: v3.1-dev12~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2975e8805d9e84010bf5199a2365d650923dbb2c;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: quic: prevent crash due to CRYPTO parsing error

A packet which contains several splitted and out of order CRYPTO frames
may be parsed multiple times to ensure it can be handled via ncbuf. Only
3 iterations can be performed to prevent excessive CPU usage.

There is a risk of crash if packet parsing is interrupted after maximum
iterations is reached, or no progress can be made on the ncbuf. This is
because <frm> may be dangling after list_for_each_entry_safe()

The crash occurs on qc_frm_free() invokation, on error path of
qc_parse_pkt_frms(). To fix it, always reset frm to NULL after
list_for_each_entry_safe() to ensure it is not dangling.

This should fix new report on github isue #2776. This regression has
been triggered by the following patch :
  1767196d5b2d8d1e557f7b3911a940000166ecda
  BUG/MINOR: quic: repeat packet parsing to deal with fragmented CRYPTO

As such, it must be backported up to 2.6, after the above patch.
---

diff --git a/src/quic_rx.c b/src/quic_rx.c
index 69a36ec77c..c88a599ebf 100644
--- a/src/quic_rx.c
+++ b/src/quic_rx.c
@@ -1079,6 +1079,12 @@ static int qc_parse_pkt_frms(struct quic_conn *qc, struct quic_rx_packet *pkt,
 				break;
 			}
 		}
+
+		/* Always reset <frm> as it may be dangling after
+		 * list_for_each_entry_safe() usage. Especially necessary to
+		 * prevent a crash if loop is interrupted on max iteration.
+		 */
+		frm = NULL;
 	}
 
 	/* Error should be returned if some frames cannot be parsed. */