BUG/MINOR: quic: Frames added to packets even if not built.

Several frames could remain as not build into <frm_list> built by qc_build_frms()
after having stopped at the first building error. So only one frame was reinserted in
the frame list passed as parameter to qc_do_build_pkt(). Then <frm_list> was
spliced to the packet frame list even its frames were not built, nor attached to
any packet. Such frames had their ->pkt member set to NULL, but considered as
built, then sent leading to a crash in qc_release_frm() where ->pkt is dereferenced.

This issue was again reported by useful traces provided by Tristan in GH #1808.

Must be backported to 2.6.

diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index f5dedcab24150b34ffb2a80a80811f3c2788ff91..99f07df4e52f01638169c8c6157609651997b57b 100644 (file)
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -6806,14 +6806,12 @@ static int qc_do_build_pkt(unsigned char *pos, const unsigned char *end,
                                ssize_t room = end - pos;
                                TRACE_DEVEL("Not enough room", QUIC_EV_CONN_TXPKT,
                                            qc, NULL, NULL, &room);
-                               /* TODO: this should not have happened except if we
-                                * are limited by the congestion control.
-                                * Note that <cf> was added from <frm_list> to <frms> list by
+                               /* Note that <cf> was added from <frms> to <frm_list> list by
                                 * qc_build_frms().
                                 */
                                LIST_DELETE(&cf->list);
                                LIST_INSERT(frms, &cf->list);
-                               break;
+                               continue;
                        }
 
                        quic_tx_packet_refinc(pkt);