From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Thu, 20 Jun 2024 15:54:04 +0000 (+0200)
Subject: BUG/MINOR: quic: fix BUG_ON() on Tx pkt alloc failure
X-Git-Tag: v3.1-dev2~26
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d5376b7a874776b4d5d79f9b746d4654df796f85;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic: fix BUG_ON() on Tx pkt alloc failure

On quic_tx_packet allocation failure, it is possible to trigger BUG_ON()
crash on INITIAL packet building. This statement is responsible to
ensure INITIAL packets are padded to 1.200 bytes as required. If a
packet on higher encryption level allocation fails, PADDING frame cannot
properly encoded, despite the INITIAL packet properly built.

This crash happens due to qc_txb_store() invokation after quic_tx_packet
allocation failure to validate already built packets. However, this
statement is unneeded as qc_purge_tx_buf() is called just after. Simply
remove qc_txb_store() to fix this issue.

This was detected using -dMfail.

This should be backported up to 2.6.
---

diff --git a/src/quic_tx.c b/src/quic_tx.c
index c963688ae4..a2e9524c25 100644
--- a/src/quic_tx.c
+++ b/src/quic_tx.c
@@ -584,8 +584,6 @@ static int qc_prep_pkts(struct quic_conn *qc, struct buffer *buf,
 			if (!cur_pkt) {
 				switch (err) {
 				case QC_BUILD_PKT_ERR_ALLOC:
-					if (first_pkt)
-						qc_txb_store(buf, dglen, first_pkt);
 					qc_purge_tx_buf(qc, buf);
 					break;