From cacdc146556a38f8045fb90dedc1c48a78a2401d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= Date: Sat, 27 Aug 2022 15:51:30 +0200 Subject: [PATCH] BUG/MINOR: quic: Frames added to packets even if not built. Several frames could remain as not build into built by qc_build_frms() after having stopped at the first building error. So only one frame was reinserted in the frame list passed as parameter to qc_do_build_pkt(). Then was spliced to the packet frame list even its frames were not built, nor attached to any packet. Such frames had their ->pkt member set to NULL, but considered as built, then sent leading to a crash in qc_release_frm() where ->pkt is dereferenced. This issue was again reported by useful traces provided by Tristan in GH #1808. Must be backported to 2.6. (cherry picked from commit 149c531fa185f418def681fbe044d48fca1db66c) Signed-off-by: Christopher Faulet --- src/xprt_quic.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/xprt_quic.c b/src/xprt_quic.c index 49a444235..55a47c253 100644 --- a/src/xprt_quic.c +++ b/src/xprt_quic.c @@ -6180,14 +6180,12 @@ static int qc_do_build_pkt(unsigned char *pos, const unsigned char *end, ssize_t room = end - pos; TRACE_PROTO("Not enough room", QUIC_EV_CONN_HPKT, qc, NULL, NULL, &room); - /* TODO: this should not have happened if qc_build_frms() - * had correctly computed and sized the frames to be - * added to this packet. Note that was added - * from to list by qc_build_frms(). + /* Note that was added from to list by + * qc_build_frms(). */ LIST_DELETE(&cf->list); LIST_INSERT(frms, &cf->list); - break; + continue; } quic_tx_packet_refinc(pkt);