From: Neil Horman Date: Fri, 7 Mar 2025 21:35:47 +0000 (-0500) Subject: Orphan packets from qrx X-Git-Tag: openssl-3.5.0-alpha1~7 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9a308a89a4f43ccfdcd9923e8951081a404b5fdc;p=thirdparty%2Fopenssl.git Orphan packets from qrx It may occur that the qrx we allocate in port_default_packet handler to do AEAD validation isn't the one the channel ultimately uses (like if we turn off address validation). In that event, we need to ensure that anything we have on that qrx isn't returned to its free list to avoid early freeing when we free the qrx at the end of port_default_packet_handler, while those frames are still pending on the channel qrx Reviewed-by: Tim Hudson Reviewed-by: Saša Nedvědický (Merged from https://github.com/openssl/openssl/pull/27004) --- diff --git a/include/internal/quic_record_rx.h b/include/internal/quic_record_rx.h index 8db7f3fc0dc..27ac309b300 100644 --- a/include/internal/quic_record_rx.h +++ b/include/internal/quic_record_rx.h @@ -259,6 +259,12 @@ int ossl_qrx_read_pkt(OSSL_QRX *qrx, OSSL_QRX_PKT **pkt); */ void ossl_qrx_pkt_release(OSSL_QRX_PKT *pkt); +/* + * Like ossl_qrx_pkt_release, but just ensures that the refcount is dropped + * on this qrx_pkt, and ensure its not on any list + */ +void ossl_qrx_pkt_orphan(OSSL_QRX_PKT *pkt); + /* Increments the reference count for the given packet. */ void ossl_qrx_pkt_up_ref(OSSL_QRX_PKT *pkt); diff --git a/ssl/quic/quic_record_rx.c b/ssl/quic/quic_record_rx.c index 29625118ae4..e4ee26c9d10 100644 --- a/ssl/quic/quic_record_rx.c +++ b/ssl/quic/quic_record_rx.c @@ -279,7 +279,7 @@ void ossl_qrx_inject_pkt(OSSL_QRX *qrx, OSSL_QRX_PKT *pkt) * port_default_packet_handler() uses ossl_qrx_read_pkt() * to get pkt. Such packet has refcount 1. */ - ossl_qrx_pkt_release(pkt); + ossl_qrx_pkt_orphan(pkt); if (ossl_assert(rxe->refcount == 0)) ossl_list_rxe_insert_tail(&qrx->rx_pending, rxe); } @@ -1473,6 +1473,19 @@ void ossl_qrx_pkt_release(OSSL_QRX_PKT *pkt) qrx_recycle_rxe(pkt->qrx, rxe); } +void ossl_qrx_pkt_orphan(OSSL_QRX_PKT *pkt) +{ + RXE *rxe; + + if (pkt == NULL) + return; + rxe = (RXE *)pkt; + assert(rxe->refcount > 0); + rxe->refcount--; + assert(ossl_list_rxe_prev(rxe) == NULL && ossl_list_rxe_next(rxe) == NULL); + return; +} + void ossl_qrx_pkt_up_ref(OSSL_QRX_PKT *pkt) { RXE *rxe = (RXE *)pkt;