From: Amaury Denoyelle Date: Tue, 25 Apr 2023 14:39:32 +0000 (+0200) Subject: MINOR: mux-quic: do not set buffer for empty STREAM frame X-Git-Tag: v2.8-dev9~32 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=42c5b75cac88401bd02157588643285796e2af8a;p=thirdparty%2Fhaproxy.git MINOR: mux-quic: do not set buffer for empty STREAM frame Previous patch fixes an issue occurring with empty STREAM frames without payload. The crash was hidden in part because buf/data fields of qf_stream were set even if no payload is referenced. This was not the true cause of the crash but to ease future debugging, a STREAM frame built with no payload now has its buf and data fields set to NULL. This should be backported up to 2.6. --- diff --git a/src/mux_quic.c b/src/mux_quic.c index 64b3751913..f4306e9056 100644 --- a/src/mux_quic.c +++ b/src/mux_quic.c @@ -1530,11 +1530,19 @@ static int qcs_build_stream_frm(struct qcs *qcs, struct buffer *out, char fin, frm->stream.stream = qcs->stream; frm->stream.id = qcs->id; - frm->stream.buf = out; - frm->stream.data = (unsigned char *)b_peek(out, head); frm->stream.offset.key = 0; frm->stream.dup = 0; + if (total) { + frm->stream.buf = out; + frm->stream.data = (unsigned char *)b_peek(out, head); + } + else { + /* Empty STREAM frame. */ + frm->stream.buf = NULL; + frm->stream.data = NULL; + } + /* FIN is positioned only when the buffer has been totally emptied. */ if (fin) frm->type |= QUIC_STREAM_FRAME_TYPE_FIN_BIT; @@ -1544,6 +1552,9 @@ static int qcs_build_stream_frm(struct qcs *qcs, struct buffer *out, char fin, frm->stream.offset.key = qcs->tx.sent_offset; } + /* Always set length bit as we do not know if there is remaining frames + * in the final packet after this STREAM. + */ frm->type |= QUIC_STREAM_FRAME_TYPE_LEN_BIT; frm->stream.len = total;