From: Amaury Denoyelle Date: Tue, 16 Jun 2026 15:10:50 +0000 (+0200) Subject: BUG/MEDIUM: mux_quic: fix freeze transfer after QCS rxbuf realign X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7266ed8c30eddfcb90a04f787da74d5ffa942333;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: mux_quic: fix freeze transfer after QCS rxbuf realign QCS uses a multiple Rx buffer for incoming data to decode. However this may cause the app proto layer to block on decoding if some data are splitted across two buffers. In this case qcs_transfer_rx_data() is used to move the data in the same current buffer. However, this function contains a bug as the next Rx buffer is not reinserted as expected in the QCS tree after the move operation. This can cause data loss which will cause a transfer freeze. This may affect POST requests on the frontend side as well as most backend transfers. This patch fixes the reinsert operation. It is now performed as expected if the next rxbuf is not fully truncated. In the opposite case, the rxbuf can simply be freed completely. This must be backported up to 3.2. --- diff --git a/src/mux_quic.c b/src/mux_quic.c index 509e3aa7a..c8a880450 100644 --- a/src/mux_quic.c +++ b/src/mux_quic.c @@ -1268,10 +1268,11 @@ static int qcs_transfer_rx_data(struct qcs *qcs, struct qc_stream_rxbuf *rxbuf) rxbuf->off_end = qcs->rx.offset + b_data(&b) + to_copy; eb64_insert(&qcs->rx.bufs, &rxbuf->off_node); + /* Increment next rxbuf offset. This must not exceed off_end. */ rxbuf_next->off_node.key += to_copy; BUG_ON(rxbuf_next->off_node.key > rxbuf_next->off_end); - - if (rxbuf_next->off_node.key == rxbuf_next->off_end) { + /* Now reinsert next rxbuf unless it has been completely truncated. */ + if (rxbuf_next->off_node.key < rxbuf_next->off_end) { eb64_insert(&qcs->rx.bufs, &rxbuf_next->off_node); } else {