MINOR: quic: Wrong packet refcount handling in qc_pkt_insert()

The QUIC connection I/O handler qc_conn_io_cb() could be called just after
qc_pkt_insert() have inserted a packet in a its tree, and before qc_pkt_insert()
have incremented the reference counter to this packet. As qc_conn_io_cb()
decrement this counter, the packet could be released before qc_pkt_insert()
might increment the counter, leading to possible crashes when trying to do so.
So, let's make qc_pkt_insert() increment this counter before inserting the packet
it is tree. No need to lock anything for that.

diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index bc4b07485a20fafb52dd055034594265b88272f4..efebc57f254ca4cc1edb7576b52e1292e7c67301 100644 (file)
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -3610,10 +3610,10 @@ static int qc_pkt_may_rm_hp(struct quic_rx_packet *pkt,
 static void qc_pkt_insert(struct quic_rx_packet *pkt, struct quic_enc_level *qel)
 {
        pkt->pn_node.key = pkt->pn;
+       quic_rx_packet_refinc(pkt);
        HA_RWLOCK_WRLOCK(QUIC_LOCK, &qel->rx.pkts_rwlock);
        eb64_insert(&qel->rx.pkts, &pkt->pn_node);
        HA_RWLOCK_WRUNLOCK(QUIC_LOCK, &qel->rx.pkts_rwlock);
-       quic_rx_packet_refinc(pkt);
 }
 
 /* Try to remove the header protection of <pkt> QUIC packet attached to <qc>