From: Frederic Lecaille <flecaille@haproxy.com>
Date: Tue, 21 Jan 2025 14:49:51 +0000 (+0100)
Subject: BUG/MINOR: quic: ensure a detached coalesced packet can't access its neighbours
X-Git-Tag: v3.2-dev4~16
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cb729fb64d18815fd73e48d24f0d58a830aee63c;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic: ensure a detached coalesced packet can't access its neighbours

Reset ->prev and ->next fields of a coalesced TX packet to ensure it cannot access
several times its neighbours after it is supposed to be detached from them calling
quic_tx_packet_dgram_detach().

There are two cases where a packet can be coalesced to another previous built one:
this is when it is built into the same datagrame without GSO (and flagged flag with
QUIC_FL_TX_PACKET_COALESCED) or when sent from the same sendto() syscall with GOS
(not flagged with QUIC_FL_TX_PACKET_COALESCED).

This fix may be in relation with GH #2839.

Must be backported as far as 2.6.
---

diff --git a/include/haproxy/quic_tx.h b/include/haproxy/quic_tx.h
index 970d8d598..9961a2384 100644
--- a/include/haproxy/quic_tx.h
+++ b/include/haproxy/quic_tx.h
@@ -63,6 +63,7 @@ static inline void quic_tx_packet_dgram_detach(struct quic_tx_packet *pkt)
 		pkt->prev->next = pkt->next;
 	if (pkt->next)
 		pkt->next->prev = pkt->prev;
+	pkt->prev = pkt->next = NULL;
 }