git.ipfire.org Git - thirdparty/haproxy.git/commit

author	Amaury Denoyelle <adenoyelle@haproxy.com>
	Mon, 17 Jun 2024 13:39:24 +0000 (15:39 +0200)
committer	Amaury Denoyelle <adenoyelle@haproxy.com>
	Wed, 19 Jun 2024 13:15:59 +0000 (15:15 +0200)
commit	937324d493eefb54d2f68820a9afcf5cfd66bdf5
tree	7e4fa93ab127f7718816e69c4e37c2bca30862e5	tree \| snapshot
parent	c714b6bb55e34c7cd2cb3ff7dbed374e6b6eae65	commit \| diff

BUG/MAJOR: quic: do not loop on emission on closing/draining state

To emit CONNECTION_CLOSE frame, a special buffer is allocated via
qc_txb_store(). This is due to QUIC_FL_CONN_IMMEDIATE_CLOSE flag.
However this flag is reset after qc_send_ppkts() invocation to prevent
reemission of CONNECTION_CLOSE frame.

qc_send() can invoke multiple times a series of qc_prep_pkts() +
qc_send_ppkts() to emit several datagrams. However, this may cause a
crash if on first loop a CONNECTION_CLOSE is emitted. On the next loop
iteration, QUIC_FL_CONN_IMMEDIATE_CLOSE is resetted, thus qc_prep_pkts()
will use the wrong buffer size as end delimiter. In some cases, this may
cause a BUG_ON() crash due to b_add() outside of buffer.

This bug can be reproduced by using a while loop of ngtcp2-client and
interrupting them randomly via Ctrl+C.

Here is the patch which introduce this regression :
cdfceb10ae136b02e51f9bb346321cf0045d58e0
MINOR: quic: refactor qc_prep_pkts() loop