git.kaiwu.me - haproxy.git/commit

author	Amaury Denoyelle <adenoyelle@haproxy.com>
	Tue, 29 Mar 2022 09:51:17 +0000 (11:51 +0200)
committer	Amaury Denoyelle <adenoyelle@haproxy.com>
	Wed, 30 Mar 2022 14:12:18 +0000 (16:12 +0200)
commit	8d5def0babf5dcf3b2478d3a39ae039636452617
tree	5d464dd1ae470824e3941a453025dd0304a4847f	tree \| snapshot
parent	10cea5cd6d33071186150bb213739d5b35754ca4	commit \| diff

BUG/MEDIUM: quic: do not use qcs from quic_stream on ACK parsing

The quic_stream frame stores the qcs instance. On ACK parsing, qcs is
accessed to clear the stream buffer. This can cause a segfault if the
MUX or the qcs is already released.

Consider the following scenario :

1. a STREAM frame is generated by the MUX
   transport layer emits the frame with PKN=1
   upper layer has finished the transfer so related qcs is detached

2. transport layer reemits the frame with PKN=2 because ACK was not
   received

3. ACK for PKN=1 is received, stream buffer is cleared
   at this stage, qcs may be freed by the MUX as it is detached

4. ACK for PKN=2 is received
   qcs for STREAM frame is dereferenced which will lead to a crash

To prevent this, qcs is never accessed from the quic_stream during ACK
parsing. Instead, a lookup is done on the MUX streams tree. If the MUX
is already released, no lookup is done. These checks prevents a possible
segfault.

This change may have an impact on the perf as now we are forced to use a
tree lookup operation. If this is the case, an alternative solution may
be to implement a refcount on qcs instances.