BUG/MEDIUM: quic: prevent crash due to CRYPTO parsing error

A packet which contains several splitted and out of order CRYPTO frames
may be parsed multiple times to ensure it can be handled via ncbuf. Only
3 iterations can be performed to prevent excessive CPU usage.

There is a risk of crash if packet parsing is interrupted after maximum
iterations is reached, or no progress can be made on the ncbuf. This is
because <frm> may be dangling after list_for_each_entry_safe()

The crash occurs on qc_frm_free() invokation, on error path of
qc_parse_pkt_frms(). To fix it, always reset frm to NULL after
list_for_each_entry_safe() to ensure it is not dangling.

This should fix new report on github isue #2776. This regression has
been triggered by the following patch :
  1767196d5b
  BUG/MINOR: quic: repeat packet parsing to deal with fragmented CRYPTO

As such, it must be backported up to 2.6, after the above patch.
This commit is contained in:
Amaury Denoyelle 2024-11-08 12:40:29 +01:00
parent 3ed9361688
commit 2975e8805d
1 changed files with 6 additions and 0 deletions

View File

@ -1079,6 +1079,12 @@ static int qc_parse_pkt_frms(struct quic_conn *qc, struct quic_rx_packet *pkt,
break;
}
}
/* Always reset <frm> as it may be dangling after
* list_for_each_entry_safe() usage. Especially necessary to
* prevent a crash if loop is interrupted on max iteration.
*/
frm = NULL;
}
/* Error should be returned if some frames cannot be parsed. */