From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Mon, 28 Nov 2022 16:21:45 +0000 (+0100)
Subject: BUG/MINOR: quic: Endless loop during retransmissions
X-Git-Tag: v2.7.0~16
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7b5d9b1f03cef92bda6cd2a3be93b9bbbfd61734;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic: Endless loop during retransmissions

qc_dgrams_retransmit() could reuse the same local list and could splice it two
times to the packet number space list of frame to be send/resend. This creates a
loop in this list and makes qc_build_frms() possibly endlessly loop when trying
to build frames from the packet number space list of frames. Then haproxy aborts.

This issue could be easily reproduced patching qc_build_frms() function to set <dlen>
variable value to 0 after having built at least 10 CRYPTO frames and using ngtcp2
as client with 30% packet loss in both direction.

Thank you to @gabrieltz for having reported this issue in GH #1903.

Must be backported to 2.6.
---

diff --git a/src/quic_conn.c b/src/quic_conn.c
index 4edd5f9e00..d54c3b589b 100644
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -4243,10 +4243,10 @@ static void qc_dgrams_retransmit(struct quic_conn *qc)
 		int i;
 
 		if (hqel->pktns->flags & QUIC_FL_PKTNS_PROBE_NEEDED) {
-			struct list frms1 = LIST_HEAD_INIT(frms1);
-
 			hqel->pktns->tx.pto_probe = 0;
 			for (i = 0; i < QUIC_MAX_NB_PTO_DGRAMS; i++) {
+				struct list frms1 = LIST_HEAD_INIT(frms1);
+
 				qc_prep_fast_retrans(qc, hqel, &frms1, NULL);
 				TRACE_DEVEL("Avail. ack eliciting frames", QUIC_EV_CONN_FRMLIST, qc, &frms1);
 				if (!LIST_ISEMPTY(&frms1)) {