From: Amaury Denoyelle Date: Fri, 23 Feb 2024 10:41:33 +0000 (+0100) Subject: BUG/MEDIUM: mux-quic: do not crash on qcs_destroy for connection error X-Git-Tag: v3.0-dev4~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=73806f067501fef714070b881f2e3d6bc9ec1021;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: mux-quic: do not crash on qcs_destroy for connection error On qcs_destroy(), a BUG_ON() statement check that QCS does not have anymore prepared data. This is to ensure connection flow control is always coherent and prevent transfer freeze. However, this BUG_ON() may cause a spurrious crash in case QCC is considered on error. Indeed, in this case, all transfers are interrupted and qmux_strm_detach() will proceed to immediate QCS free before releasing the connection. In this situation, connection flow control is irrelevant so the BUG_ON() should be ignored. This crash occurs since the MUX refactoring via the following patch. Previously, a similar BUG_ON() was used but it was incorrectly implemented rendering it immune even to targetted cause. 3fe3251593e32c7ee07be94a193aea3a8eefb076 MEDIUM: mux-quic: simplify sending API This should fix github issue #2456. This does not need to be backported. --- diff --git a/src/mux_quic.c b/src/mux_quic.c index af678b72ab..1d82b5125d 100644 --- a/src/mux_quic.c +++ b/src/mux_quic.c @@ -1671,12 +1671,12 @@ static void qcs_destroy(struct qcs *qcs) TRACE_ENTER(QMUX_EV_QCS_END, conn, qcs); - /* MUST not removed a stream with sending prepared data left. This is - * to ensure consistency on connection flow-control calculation. - */ - BUG_ON(qcs->tx.fc.off_soft != qcs->tx.fc.off_real); + if (!(qcc->flags & (QC_CF_ERR_CONN|QC_CF_ERRL))) { + /* MUST not removed a stream with sending prepared data left. This is + * to ensure consistency on connection flow-control calculation. + */ + BUG_ON(qcs->tx.fc.off_soft != qcs->tx.fc.off_real); - if (!(qcc->flags & QC_CF_ERRL)) { if (quic_stream_is_remote(qcc, id)) qcc_release_remote_stream(qcc, id); }