From: Amaury Denoyelle Date: Fri, 18 Apr 2025 16:02:48 +0000 (+0200) Subject: BUG/MINOR: quic: do not crash on CRYPTO ncbuf alloc failure X-Git-Tag: v3.2-dev12~44 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4309a6fbf80240b0880c5adf091f0075c3bcd53f;p=thirdparty%2Fhaproxy.git BUG/MINOR: quic: do not crash on CRYPTO ncbuf alloc failure To handle out-of-order received CRYPTO frames, a ncbuf instance is allocated. This is done via the helper quic_get_ncbuf(). Buffer allocation was improperly checked. In case b_alloc() fails, it crashes due to a BUG_ON(). Fix this by removing it. The function now returns NULL on allocation failure, which is already properly handled in its caller qc_handle_crypto_frm(). This should fix the last reported crash from github issue #2935. This must be backported up to 2.6. --- diff --git a/include/haproxy/quic_conn.h b/include/haproxy/quic_conn.h index 31f0c086f..3ba4b0938 100644 --- a/include/haproxy/quic_conn.h +++ b/include/haproxy/quic_conn.h @@ -127,7 +127,11 @@ static inline void quic_conn_mv_cids_to_cc_conn(struct quic_conn_closed *cc_conn } -/* Allocate the underlying required memory for non-contiguous buffer */ +/* Allocate the underlying required memory for non-contiguous buffer. + * Does nothing if buffer is already allocated. + * + * Returns the buffer instance or NULL on allocation failure. + */ static inline struct ncbuf *quic_get_ncbuf(struct ncbuf *ncbuf) { struct buffer buf = BUF_NULL; @@ -135,8 +139,8 @@ static inline struct ncbuf *quic_get_ncbuf(struct ncbuf *ncbuf) if (!ncb_is_null(ncbuf)) return ncbuf; - b_alloc(&buf, DB_MUX_RX); - BUG_ON(b_is_null(&buf)); + if (!b_alloc(&buf, DB_MUX_RX)) + return NULL; *ncbuf = ncb_make(buf.area, buf.size, 0); ncb_init(ncbuf, 0);