From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Fri, 18 Mar 2022 17:38:19 +0000 (+0100)
Subject: BUG/MINOR: mux-quic: Access to empty frame list from qc_send_frames()
X-Git-Tag: v2.6-dev4~35
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4e22f28febc679d0b4180c8a0f8096e4f248e3da;p=thirdparty%2Fhaproxy.git

BUG/MINOR: mux-quic: Access to empty frame list from qc_send_frames()

This was revealed by libasan when each time qc_send_frames() is run at the first
time:

=================================================================
==84177==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fbaaca2b3c8 at pc 0x560a4fdb7c2e bp 0x7fbaaca2b300 sp 0x7fbaaca2b2f8
READ of size 1 at 0x7fbaaca2b3c8 thread T6
    #0 0x560a4fdb7c2d in qc_send_frames src/mux_quic.c:473
    #1 0x560a4fdb83be in qc_send src/mux_quic.c:563
    #2 0x560a4fdb8a6e in qc_io_cb src/mux_quic.c:638
    #3 0x560a502ab574 in run_tasks_from_lists src/task.c:580
    #4 0x560a502ad589 in process_runnable_tasks src/task.c:883
    #5 0x560a501e3c88 in run_poll_loop src/haproxy.c:2675
    #6 0x560a501e4519 in run_thread_poll_loop src/haproxy.c:2846
    #7 0x7fbabd120ea6 in start_thread nptl/pthread_create.c:477
    #8 0x7fbabcb19dee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)

Address 0x7fbaaca2b3c8 is located in stack of thread T6 at offset 56 in frame
    #0 0x560a4fdb7f00 in qc_send src/mux_quic.c:514

  This frame has 1 object(s):
    [32, 48) 'frms' (line 515) <== Memory access at offset 56 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
Thread T6 created by T0 here:
    #0 0x7fbabd1bd2a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
    #1 0x560a5036f9b8 in setup_extra_threads src/thread.c:221
    #2 0x560a501e70fd in main src/haproxy.c:3457
    #3 0x7fbabca42d09 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: stack-buffer-overflow src/mux_quic.c:473 in qc_send_frames
---

diff --git a/src/mux_quic.c b/src/mux_quic.c
index e1937d65c9..9d85c8a35a 100644
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@@ -468,6 +468,9 @@ static int qc_send_frames(struct qcc *qcc, struct list *frms)
 	uint64_t first_offset = 0;
 	char first_stream_frame_type;
 
+	if (LIST_ISEMPTY(frms))
+		return 0;
+
  retry_send:
 	first_frm = LIST_ELEM(frms->n, struct quic_frame *, list);
 	if ((first_frm->type & QUIC_FT_STREAM_8) == QUIC_FT_STREAM_8) {