From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Mon, 20 Dec 2021 13:41:19 +0000 (+0100)
Subject: MINOR: quic: Wrong packet refcount handling in qc_pkt_insert()
X-Git-Tag: v2.6-dev1~249
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2ce5acf7edda75ff8f652bcd348fd89b5537ef09;p=thirdparty%2Fhaproxy.git

MINOR: quic: Wrong packet refcount handling in qc_pkt_insert()

The QUIC connection I/O handler qc_conn_io_cb() could be called just after
qc_pkt_insert() have inserted a packet in a its tree, and before qc_pkt_insert()
have incremented the reference counter to this packet. As qc_conn_io_cb()
decrement this counter, the packet could be released before qc_pkt_insert()
might increment the counter, leading to possible crashes when trying to do so.
So, let's make qc_pkt_insert() increment this counter before inserting the packet
it is tree. No need to lock anything for that.
---

diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index bc4b07485a..efebc57f25 100644
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -3610,10 +3610,10 @@ static int qc_pkt_may_rm_hp(struct quic_rx_packet *pkt,
 static void qc_pkt_insert(struct quic_rx_packet *pkt, struct quic_enc_level *qel)
 {
 	pkt->pn_node.key = pkt->pn;
+	quic_rx_packet_refinc(pkt);
 	HA_RWLOCK_WRLOCK(QUIC_LOCK, &qel->rx.pkts_rwlock);
 	eb64_insert(&qel->rx.pkts, &pkt->pn_node);
 	HA_RWLOCK_WRUNLOCK(QUIC_LOCK, &qel->rx.pkts_rwlock);
-	quic_rx_packet_refinc(pkt);
 }
 
 /* Try to remove the header protection of <pkt> QUIC packet attached to <qc>