BUG/MINOR: quic: fix use-after-free with trace on ACK consume

When using qc_stream_desc_ack(), the stream instance may be freed if there is no more data in its buffers. This also means that all frames still stored waiting for ACK for this stream are freed via qc_stream_desc_free(). This is particularly important in quic_stream_try_to_consume() where we loop over the frames tree of the stream. A use-after-free is present in cas the stream has been freed in the trace "stream consumed" which dereference the frame. Fix this by first checking if the stream has been freed or not. This bug was detected by using ASAN + quic traces enabled.
2022-04-25 14:26:54 +02:00 · 2022-04-25 14:26:54 +02:00 · 7586bef6d7
commit 7586bef6d7
parent 3e69fcc240
1 changed files with 6 additions and 1 deletions
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@ -1454,11 +1454,16 @@ static int quic_stream_try_to_consume(struct quic_conn *qc,
 			break;

 		if (qc_stream_desc_ack(&stream, offset, len)) {
+			/* cf. next comment : frame may be freed at this stage. */
 			TRACE_PROTO("stream consumed", QUIC_EV_CONN_ACKSTRM,
-			            qc, strm, stream);
+			            qc, stream ? strm : NULL, stream);
 			ret = 1;
 		}

+		/* If stream is NULL after qc_stream_desc_ack(), it means frame
+		 * has been freed. with the stream frames tree. Nothing to do
+		 * anymore in here.
+		 */
 		if (!stream)
 			return 1;