BUG/MINOR: quic: fix race-condition on trace for CID retrieval

quic_rx_pkt_retrieve_conn() is used when parsing a received datagram
from the listener socket. It returned the quic_conn instance
corresponding to the first packet DCID, unless it is mapped to another
thread.

As expected, global CID tree access is protected by a lock in the
function. However, there is a race condition due to the final trace
where qc instance is dereferenced outside of the lock. Fix this by
adding a new trace under lock protection and remove qc deferencement at
function end.

This may fix first crash of github issue #2607.

This must be backported up to 2.8.

diff --git a/src/quic_cid.c b/src/quic_cid.c
index da3b0968eff97b66a81ae8e4c9fc7b94231d387f..e27d9caec6e6fa0cb9114da7ab0fa2ff8c01d898 100644 (file)
--- a/src/quic_cid.c
+++ b/src/quic_cid.c
@@ -257,10 +257,11 @@ struct quic_conn *retrieve_qc_conn_from_cid(struct quic_rx_packet *pkt,
                goto end;
        }
        qc = conn_id->qc;
+       TRACE_DEVEL("found connection", QUIC_EV_CONN_RXPKT, qc);
 
  end:
        HA_RWLOCK_RDUNLOCK(QC_CID_LOCK, &tree->lock);
-       TRACE_LEAVE(QUIC_EV_CONN_RXPKT, qc);
+       TRACE_LEAVE(QUIC_EV_CONN_RXPKT);
        return qc;
 }