From: Willy Tarreau Date: Wed, 10 Aug 2022 05:26:27 +0000 (+0200) Subject: BUG/MEDIUM: quic: always remove the connection from the accept list on close X-Git-Tag: v2.7-dev4~64 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=54bc78693d8153f10ec4268bfad8779b08740bc2;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: quic: always remove the connection from the accept list on close Fred managed to reproduce a crash showing a corrupted accept_list when firing thousands of concurrent picoquicdemo clients to a same instance. It may happen if the connection was placed into the accept_list and immediately closed before being processed (e.g. on error or t/o ?). In any case the quic_conn_release() function should always detach a connection to be deleted from any list, like it does for other lists, so let's add an MT_LIST_DELETE() here. This should be backported to 2.6. --- diff --git a/src/xprt_quic.c b/src/xprt_quic.c index 87396ea15b..a971698378 100644 --- a/src/xprt_quic.c +++ b/src/xprt_quic.c @@ -4084,6 +4084,11 @@ static void quic_conn_release(struct quic_conn *qc) /* We must not free the quic-conn if the MUX is still allocated. */ BUG_ON(qc->mux_state == QC_MUX_READY); + /* in the unlikely (but possible) case the connection was just added to + * the accept_list we must delete it from there. + */ + MT_LIST_DELETE(&qc->accept_list); + /* free remaining stream descriptors */ node = eb64_first(&qc->streams_by_id); while (node) {