RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-01-09 23:39:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MAJOR: quic: remove qc from receiver cids tree on free

Browse Source 
Remove the quic_conn from the receiver connection_ids tree on
quic_conn_free. This fixes a crash due to dangling references in the
tree after a quic connection release.

This operation must be conducted under the listener lock. For this
reason, the quic_conn now contains a reference to its attached listener.
This commit is contained in:
Amaury Denoyelle 2021-09-30 11:03:28 +02:00
parent d595f108db
commit 2af1985af8
2 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/haproxy/xprt_quic-t.h
View File

@ -657,6 +657,7 @@ struct quic_conn {
struct quic_path paths[1];
struct quic_path *path;
struct listener *li; /* only valid for frontend connections */
/* MUX */
struct qcc *qcc;
struct task *timer_task;

8
src/xprt_quic.c
View File

@ -2903,6 +2903,13 @@ static void quic_conn_free(struct quic_conn *conn)
return;
free_quic_conn_cids(conn);
/* remove the connection from receiver cids trees */
HA_RWLOCK_WRLOCK(OTHER_LOCK, &conn->li->rx.cids_lock);
ebmb_delete(&conn->odcid_node);
ebmb_delete(&conn->scid_node);
HA_RWLOCK_WRUNLOCK(OTHER_LOCK, &conn->li->rx.cids_lock);
for (i = 0; i < QUIC_TLS_ENC_LEVEL_MAX; i++)
quic_conn_enc_level_uninit(&conn->els[i]);
if (conn->timer_task)
@ -3004,6 +3011,7 @@ static struct quic_conn *qc_new_conn(unsigned int version, int ipv4,
memcpy(qc->dcid.data, scid, scid_len);
qc->dcid.len = scid_len;
qc->tx.qring_list = &l->rx.tx_qrings;
qc->li = l;
}
/* QUIC Client (outgoing connection to servers) */
else {