BUG/MINOR: quic: Possible leak during probing retransmissions

qc_dgrams_retransmit() prepares two list of frames to be retransmitted into
two datagrams. If the first datagram could not be sent, the TX buffer will
be purged with the prepared packet and its frames, but this was not the case for
the second list of frames.

Must be backported in 2.7.

diff --git a/src/quic_conn.c b/src/quic_conn.c
index 6b66c223aed1917ebac59d822e4ba5e5e061f2ee..007afee587855696c414e163ae4458ded106366b 100644 (file)
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -4961,8 +4961,10 @@ static int qc_dgrams_retransmit(struct quic_conn *qc)
                        TRACE_PROTO("Avail. ack eliciting frames", QUIC_EV_CONN_FRMLIST, qc, &frms2);
                        if (!LIST_ISEMPTY(&frms1)) {
                                aqel->pktns->tx.pto_probe = 1;
-                               if (!qc_send_app_probing(qc, &frms1))
+                               if (!qc_send_app_probing(qc, &frms1)) {
+                                       qc_free_frm_list(&frms2, qc);
                                        goto leave;
+                               }
 
                                /* Put back unsent frames into their packet number spaces */
                                LIST_SPLICE(&aqel->pktns->tx.frms, &frms1);