From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Mon, 24 Apr 2023 09:20:32 +0000 (+0200)
Subject: BUG/MINOR: quic: Possible leak during probing retransmissions
X-Git-Tag: v2.8-dev9~56
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c6bec2a3afdd537a617fbd9e1ae88a50f81f689d;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic: Possible leak during probing retransmissions

qc_dgrams_retransmit() prepares two list of frames to be retransmitted into
two datagrams. If the first datagram could not be sent, the TX buffer will
be purged with the prepared packet and its frames, but this was not the case for
the second list of frames.

Must be backported in 2.7.
---

diff --git a/src/quic_conn.c b/src/quic_conn.c
index 6b66c223ae..007afee587 100644
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -4961,8 +4961,10 @@ static int qc_dgrams_retransmit(struct quic_conn *qc)
 			TRACE_PROTO("Avail. ack eliciting frames", QUIC_EV_CONN_FRMLIST, qc, &frms2);
 			if (!LIST_ISEMPTY(&frms1)) {
 				aqel->pktns->tx.pto_probe = 1;
-				if (!qc_send_app_probing(qc, &frms1))
+				if (!qc_send_app_probing(qc, &frms1)) {
+					qc_free_frm_list(&frms2, qc);
 					goto leave;
+				}
 
 				/* Put back unsent frames into their packet number spaces */
 				LIST_SPLICE(&aqel->pktns->tx.frms, &frms1);