BUG/MEDIUM: quic: prevent crash due to CRYPTO parsing error
A packet which contains several splitted and out of order CRYPTO frames
may be parsed multiple times to ensure it can be handled via ncbuf. Only
3 iterations can be performed to prevent excessive CPU usage.
There is a risk of crash if packet parsing is interrupted after maximum
iterations is reached, or no progress can be made on the ncbuf. This is
because <frm> may be dangling after list_for_each_entry_safe()
The crash occurs on qc_frm_free() invokation, on error path of
qc_parse_pkt_frms(). To fix it, always reset frm to NULL after
list_for_each_entry_safe() to ensure it is not dangling.
This should fix new report on github isue #2776. This regression has
been triggered by the following patch :
1767196d5b
BUG/MINOR: quic: repeat packet parsing to deal with fragmented CRYPTO
As such, it must be backported up to 2.6, after the above patch.
This commit is contained in:
parent
3ed9361688
commit
2975e8805d
|
@ -1079,6 +1079,12 @@ static int qc_parse_pkt_frms(struct quic_conn *qc, struct quic_rx_packet *pkt,
|
|||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* Always reset <frm> as it may be dangling after
|
||||
* list_for_each_entry_safe() usage. Especially necessary to
|
||||
* prevent a crash if loop is interrupted on max iteration.
|
||||
*/
|
||||
frm = NULL;
|
||||
}
|
||||
|
||||
/* Error should be returned if some frames cannot be parsed. */
|
||||
|
|
Loading…
Reference in New Issue