QUIC: avoid accessing freed frame.

Previously the field pnum of a potentially freed frame was accessed.  Now the
value is copied to a local variable.  The old behavior did not cause any
problems since the frame memory is not freed, but is moved to a free queue
instead.

1 files changed, 3 insertions, 1 deletions

diff --git a/src/event/quic/ngx_event_quic_ack.c b/src/event/quic/ngx_event_quic_ack.c
index 865be2e6a..e6210653a 100644
--- a/src/event/quic/ngx_event_quic_ack.c
+++ b/src/event/quic/ngx_event_quic_ack.c
@@ -548,6 +548,7 @@ ngx_quic_persistent_congestion(ngx_connection_t *c)
 void
 ngx_quic_resend_frames(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx)
 {
+    uint64_t                pnum;
     ngx_queue_t            *q;
     ngx_quic_frame_t       *f, *start;
     ngx_quic_stream_t      *qs;
@@ -556,6 +557,7 @@ ngx_quic_resend_frames(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx)
     qc = ngx_quic_get_connection(c);
     q = ngx_queue_head(&ctx->sent);
     start = ngx_queue_data(q, ngx_quic_frame_t, queue);
+    pnum = start->pnum;
 
     ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
                    "quic resend packet pnum:%uL", start->pnum);
@@ -565,7 +567,7 @@ ngx_quic_resend_frames(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx)
     do {
         f = ngx_queue_data(q, ngx_quic_frame_t, queue);
 
-        if (f->pnum != start->pnum) {
+        if (f->pnum != pnum) {
             break;
         }