From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Thu, 27 Jun 2024 16:52:23 +0000 (+0200)
Subject: BUG/MINOR: quic: fix race-condition on trace for CID retrieval
X-Git-Tag: v3.1-dev2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bbb9f8248e29e89c288ad55a0fb7c71280a335a0;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic: fix race-condition on trace for CID retrieval

quic_rx_pkt_retrieve_conn() is used when parsing a received datagram
from the listener socket. It returned the quic_conn instance
corresponding to the first packet DCID, unless it is mapped to another
thread.

As expected, global CID tree access is protected by a lock in the
function. However, there is a race condition due to the final trace
where qc instance is dereferenced outside of the lock. Fix this by
adding a new trace under lock protection and remove qc deferencement at
function end.

This may fix first crash of github issue #2607.

This must be backported up to 2.8.
---

diff --git a/src/quic_cid.c b/src/quic_cid.c
index da3b0968ef..e27d9caec6 100644
--- a/src/quic_cid.c
+++ b/src/quic_cid.c
@@ -257,10 +257,11 @@ struct quic_conn *retrieve_qc_conn_from_cid(struct quic_rx_packet *pkt,
 		goto end;
 	}
 	qc = conn_id->qc;
+	TRACE_DEVEL("found connection", QUIC_EV_CONN_RXPKT, qc);
 
  end:
 	HA_RWLOCK_RDUNLOCK(QC_CID_LOCK, &tree->lock);
-	TRACE_LEAVE(QUIC_EV_CONN_RXPKT, qc);
+	TRACE_LEAVE(QUIC_EV_CONN_RXPKT);
 	return qc;
 }