From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Thu, 3 Oct 2024 16:11:08 +0000 (+0200)
Subject: MINOR: quic: strengthen qc_release_frm()
X-Git-Tag: v3.1-dev10~117
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=324a49ed4d1e3ef8a44fc7155e8dbff941863630;p=thirdparty%2Fhaproxy.git

MINOR: quic: strengthen qc_release_frm()

quic_frame is the type used to represent frames emitted in a QUIC Tx
packet. Each frame is attached to a packet, and can also be linked to
other frames from the the same packet, or duplicated frames for
retransmission. As such, quic_frame free operation is a tedious process.

qc_release_frm() has been implemented to ensure quic_frame is always
properly freed after detaching from all its list attach point. One
particular point is to ensure that when a frame is released, the frame
origin and all origin copies, including the current <frm> are flagged as
acked and detached from the reflist. Add a BUG_ON() to ensure this loop
is properly conducted when dealing with the current <frm> instance.
---

diff --git a/src/quic_frame.c b/src/quic_frame.c
index 6c459353c8..9599b80c2e 100644
--- a/src/quic_frame.c
+++ b/src/quic_frame.c
@@ -1242,6 +1242,12 @@ void qc_release_frm(struct quic_conn *qc, struct quic_frame *frm)
 	uint64_t pn;
 	struct quic_frame *origin, *f, *tmp;
 
+	/* <frm> will be detached from its Tx packet via origin->reflist loop
+	 * implemented below. It is thus expected that its pkt field is not
+	 * NULL or else it may free the frame too soon.
+	 */
+	BUG_ON(!frm->pkt);
+
 	TRACE_ENTER(QUIC_EV_CONN_PRSAFRM, qc, frm);
 
 	/* Identify this frame: a frame copy or one of its copies */