From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Mon, 15 Nov 2021 15:21:40 +0000 (+0100)
Subject: MINOR: quic: Wrong Initial packet connection initialization
X-Git-Tag: v2.5-dev15~16
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f67b35620e9310f446923312ba0ce765359f8a47;p=thirdparty%2Fhaproxy.git

MINOR: quic: Wrong Initial packet connection initialization

->qc (QUIC connection) member of packet structure were badly initialized
when received as second Initial packet (from picoquic -Q for instance).
This leaded to corrupt the quic_conn structure with random behaviors
as size effects. This bug came with this commit:
   "MINOR: quic: Possible wrong connection identification"
---

diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index a5740dbcb6..d4511609dc 100644
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -3759,9 +3759,9 @@ static ssize_t qc_lstnr_pkt_rcv(unsigned char **buf, const unsigned char *end,
 			}
 			HA_RWLOCK_WRUNLOCK(QUIC_LOCK, &l->rx.cids_lock);
 
-			pkt->qc = qc;
 			if (n == &qc->odcid_node) {
 				/* Enqueue this packet. */
+				pkt->qc = qc;
 				MT_LIST_APPEND(&l->rx.pkts, &pkt->rx_list);
 				/* Try to accept a new connection. */
 				listener_accept(l);
@@ -3769,6 +3769,7 @@ static ssize_t qc_lstnr_pkt_rcv(unsigned char **buf, const unsigned char *end,
 			else {
 				quic_conn_free(qc);
 				qc = ebmb_entry(n, struct quic_conn, odcid_node);
+				pkt->qc = qc;
 			}
 
 			/* This is the DCID node sent in this packet by the client. */