From 2975e8805d9e84010bf5199a2365d650923dbb2c Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Fri, 8 Nov 2024 12:40:29 +0100 Subject: [PATCH] BUG/MEDIUM: quic: prevent crash due to CRYPTO parsing error A packet which contains several splitted and out of order CRYPTO frames may be parsed multiple times to ensure it can be handled via ncbuf. Only 3 iterations can be performed to prevent excessive CPU usage. There is a risk of crash if packet parsing is interrupted after maximum iterations is reached, or no progress can be made on the ncbuf. This is because may be dangling after list_for_each_entry_safe() The crash occurs on qc_frm_free() invokation, on error path of qc_parse_pkt_frms(). To fix it, always reset frm to NULL after list_for_each_entry_safe() to ensure it is not dangling. This should fix new report on github isue #2776. This regression has been triggered by the following patch : 1767196d5b2d8d1e557f7b3911a940000166ecda BUG/MINOR: quic: repeat packet parsing to deal with fragmented CRYPTO As such, it must be backported up to 2.6, after the above patch. --- src/quic_rx.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/quic_rx.c b/src/quic_rx.c index 69a36ec77c..c88a599ebf 100644 --- a/src/quic_rx.c +++ b/src/quic_rx.c @@ -1079,6 +1079,12 @@ static int qc_parse_pkt_frms(struct quic_conn *qc, struct quic_rx_packet *pkt, break; } } + + /* Always reset as it may be dangling after + * list_for_each_entry_safe() usage. Especially necessary to + * prevent a crash if loop is interrupted on max iteration. + */ + frm = NULL; } /* Error should be returned if some frames cannot be parsed. */ -- 2.47.3