From: Frédéric Lécaille Date: Sat, 27 Aug 2022 13:51:30 +0000 (+0200) Subject: BUG/MINOR: quic: Frames added to packets even if not built. X-Git-Tag: v2.7-dev5~49 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=149c531fa185f418def681fbe044d48fca1db66c;p=thirdparty%2Fhaproxy.git BUG/MINOR: quic: Frames added to packets even if not built. Several frames could remain as not build into built by qc_build_frms() after having stopped at the first building error. So only one frame was reinserted in the frame list passed as parameter to qc_do_build_pkt(). Then was spliced to the packet frame list even its frames were not built, nor attached to any packet. Such frames had their ->pkt member set to NULL, but considered as built, then sent leading to a crash in qc_release_frm() where ->pkt is dereferenced. This issue was again reported by useful traces provided by Tristan in GH #1808. Must be backported to 2.6. --- diff --git a/src/xprt_quic.c b/src/xprt_quic.c index f5dedcab24..99f07df4e5 100644 --- a/src/xprt_quic.c +++ b/src/xprt_quic.c @@ -6806,14 +6806,12 @@ static int qc_do_build_pkt(unsigned char *pos, const unsigned char *end, ssize_t room = end - pos; TRACE_DEVEL("Not enough room", QUIC_EV_CONN_TXPKT, qc, NULL, NULL, &room); - /* TODO: this should not have happened except if we - * are limited by the congestion control. - * Note that was added from to list by + /* Note that was added from to list by * qc_build_frms(). */ LIST_DELETE(&cf->list); LIST_INSERT(frms, &cf->list); - break; + continue; } quic_tx_packet_refinc(pkt);