BUG/MINOR: quic: do not crash on CRYPTO ncbuf alloc failure

To handle out-of-order received CRYPTO frames, a ncbuf instance is
allocated. This is done via the helper quic_get_ncbuf().

Buffer allocation was improperly checked. In case b_alloc() fails, it
crashes due to a BUG_ON(). Fix this by removing it. The function now
returns NULL on allocation failure, which is already properly handled in
its caller qc_handle_crypto_frm().

This should fix the last reported crash from github issue #2935.

This must be backported up to 2.6.

diff --git a/include/haproxy/quic_conn.h b/include/haproxy/quic_conn.h
index 31f0c086f88428908303a97ad172c1f2c163eaee..3ba4b09383cc3656a96f9962cdf137ad4e96c85b 100644 (file)
--- a/include/haproxy/quic_conn.h
+++ b/include/haproxy/quic_conn.h
@@ -127,7 +127,11 @@ static inline void quic_conn_mv_cids_to_cc_conn(struct quic_conn_closed *cc_conn
 
 }
 
-/* Allocate the underlying required memory for <ncbuf> non-contiguous buffer */
+/* Allocate the underlying required memory for <ncbuf> non-contiguous buffer.
+ * Does nothing if buffer is already allocated.
+ *
+ * Returns the buffer instance or NULL on allocation failure.
+ */
 static inline struct ncbuf *quic_get_ncbuf(struct ncbuf *ncbuf)
 {
        struct buffer buf = BUF_NULL;
@@ -135,8 +139,8 @@ static inline struct ncbuf *quic_get_ncbuf(struct ncbuf *ncbuf)
        if (!ncb_is_null(ncbuf))
                return ncbuf;
 
-       b_alloc(&buf, DB_MUX_RX);
-       BUG_ON(b_is_null(&buf));
+       if (!b_alloc(&buf, DB_MUX_RX))
+               return NULL;
 
        *ncbuf = ncb_make(buf.area, buf.size, 0);
        ncb_init(ncbuf, 0);