From 149c531fa185f418def681fbe044d48fca1db66c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= Date: Sat, 27 Aug 2022 15:51:30 +0200 Subject: [PATCH] BUG/MINOR: quic: Frames added to packets even if not built. Several frames could remain as not build into built by qc_build_frms() after having stopped at the first building error. So only one frame was reinserted in the frame list passed as parameter to qc_do_build_pkt(). Then was spliced to the packet frame list even its frames were not built, nor attached to any packet. Such frames had their ->pkt member set to NULL, but considered as built, then sent leading to a crash in qc_release_frm() where ->pkt is dereferenced. This issue was again reported by useful traces provided by Tristan in GH #1808. Must be backported to 2.6. --- src/xprt_quic.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/xprt_quic.c b/src/xprt_quic.c index f5dedcab2..99f07df4e 100644 --- a/src/xprt_quic.c +++ b/src/xprt_quic.c @@ -6806,14 +6806,12 @@ static int qc_do_build_pkt(unsigned char *pos, const unsigned char *end, ssize_t room = end - pos; TRACE_DEVEL("Not enough room", QUIC_EV_CONN_TXPKT, qc, NULL, NULL, &room); - /* TODO: this should not have happened except if we - * are limited by the congestion control. - * Note that was added from to list by + /* Note that was added from to list by * qc_build_frms(). */ LIST_DELETE(&cf->list); LIST_INSERT(frms, &cf->list); - break; + continue; } quic_tx_packet_refinc(pkt);