From: Amaury Denoyelle Date: Thu, 30 Sep 2021 09:03:28 +0000 (+0200) Subject: BUG/MAJOR: quic: remove qc from receiver cids tree on free X-Git-Tag: v2.5-dev9~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2af1985af830031ffbfdadc85981a2c76d744fbf;p=thirdparty%2Fhaproxy.git BUG/MAJOR: quic: remove qc from receiver cids tree on free Remove the quic_conn from the receiver connection_ids tree on quic_conn_free. This fixes a crash due to dangling references in the tree after a quic connection release. This operation must be conducted under the listener lock. For this reason, the quic_conn now contains a reference to its attached listener. --- diff --git a/include/haproxy/xprt_quic-t.h b/include/haproxy/xprt_quic-t.h index 6e83594deb..9e282f5d5e 100644 --- a/include/haproxy/xprt_quic-t.h +++ b/include/haproxy/xprt_quic-t.h @@ -657,6 +657,7 @@ struct quic_conn { struct quic_path paths[1]; struct quic_path *path; + struct listener *li; /* only valid for frontend connections */ /* MUX */ struct qcc *qcc; struct task *timer_task; diff --git a/src/xprt_quic.c b/src/xprt_quic.c index cee93229ef..3fd4632848 100644 --- a/src/xprt_quic.c +++ b/src/xprt_quic.c @@ -2903,6 +2903,13 @@ static void quic_conn_free(struct quic_conn *conn) return; free_quic_conn_cids(conn); + + /* remove the connection from receiver cids trees */ + HA_RWLOCK_WRLOCK(OTHER_LOCK, &conn->li->rx.cids_lock); + ebmb_delete(&conn->odcid_node); + ebmb_delete(&conn->scid_node); + HA_RWLOCK_WRUNLOCK(OTHER_LOCK, &conn->li->rx.cids_lock); + for (i = 0; i < QUIC_TLS_ENC_LEVEL_MAX; i++) quic_conn_enc_level_uninit(&conn->els[i]); if (conn->timer_task) @@ -3004,6 +3011,7 @@ static struct quic_conn *qc_new_conn(unsigned int version, int ipv4, memcpy(qc->dcid.data, scid, scid_len); qc->dcid.len = scid_len; qc->tx.qring_list = &l->rx.tx_qrings; + qc->li = l; } /* QUIC Client (outgoing connection to servers) */ else {