From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Wed, 7 Sep 2022 13:06:52 +0000 (+0200)
Subject: BUG/MINOR: quic: Wrong connection ID to thread ID association
X-Git-Tag: v2.7-dev6~92
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3122c75fd1f9a73a13ec533a4f313be0af1c5348;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic: Wrong connection ID to thread ID association

To work, quic_pin_cid_to_tid() must set cid[0] to a value with <target_id>
as <global.nbthread> modulo. For each integer n, (n - (n % m)) + d has always
d as modulo m (with d < m).

So, this statement seemed correct:

     cid[0] = cid[0] - (cid[0] % global.nbthread) + target_tid;

except when n wraps or when another modulo is applied to the addition result.
Here, for 8bit modulo arithmetic, if m does not divides 256, this cannot
works for values which wraps when we increment them by d.
For instance n=255 m=3 and d=1 the formula result is 0 (should be d).

To fix this, we first limit c[0] to 255 - <target_id> to prevent c[0] from wrapping.

Thank you to @esb for having reported this issue in GH #1855.

Must be backported to 2.6
---

diff --git a/include/haproxy/xprt_quic.h b/include/haproxy/xprt_quic.h
index e84959ff47..5899238082 100644
--- a/include/haproxy/xprt_quic.h
+++ b/include/haproxy/xprt_quic.h
@@ -225,6 +225,7 @@ static inline unsigned long quic_get_cid_tid(const unsigned char *cid)
  */
 static inline void quic_pin_cid_to_tid(unsigned char *cid, int target_tid)
 {
+	cid[0] = MIN(cid[0], 255 - target_tid);
 	cid[0] = cid[0] - (cid[0] % global.nbthread) + target_tid;
 }