RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-04-07 17:51:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

MINOR: quic: Possible crash when inspecting the xprt context

Browse Source 
haproxy may crash when running this statement in qc_lstnr_pkt_rcv():
	conn_ctx = qc->conn->xprt_ctx;
because qc->conn may not be initialized. With this patch we ensure
qc->conn is correctly initialized before accessing its ->xprt_ctx
members. We zero the xrpt_ctx structure (ssl_conn_ctx struct), then
initialize its ->conn member with HA_ATOMIC_STORE. Then, ->conn and
->conn->xptr_ctx members of quic_conn struct can be accessed with HA_ATOMIC_LOAD()
This commit is contained in:
Frédéric Lécaille 2021-11-23 15:59:59 +01:00
parent e2660e61e2
commit d77c50b6d6
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/xprt_quic.c
View File

@ -3852,7 +3852,8 @@ static ssize_t qc_lstnr_pkt_rcv(unsigned char **buf, const unsigned char *end,
qc = cid->qc;
}
pkt->qc = qc;
conn_ctx = qc->conn->xprt_ctx;
if (HA_ATOMIC_LOAD(&qc->conn))
conn_ctx = HA_ATOMIC_LOAD(&qc->conn->xprt_ctx);
}
}
else {
@ -3872,7 +3873,8 @@ static ssize_t qc_lstnr_pkt_rcv(unsigned char **buf, const unsigned char *end,
cid = ebmb_entry(node, struct quic_connection_id, node);
qc = cid->qc;
conn_ctx = qc->conn->xprt_ctx;
if (HA_ATOMIC_LOAD(&qc->conn))
conn_ctx = HA_ATOMIC_LOAD(&qc->conn->xprt_ctx);
*buf += QUIC_CID_LEN;
pkt->qc = qc;
/* A short packet is the last one of an UDP datagram. */
@ -4855,7 +4857,7 @@ static int qc_conn_init(struct connection *conn, void **xprt_ctx)
if (*xprt_ctx)
goto out;
ctx = pool_alloc(pool_head_quic_conn_ctx);
ctx = pool_zalloc(pool_head_quic_conn_ctx);
if (!ctx) {
conn->err_code = CO_ER_SYS_MEMLIM;
goto err;
@ -4870,7 +4872,7 @@ static int qc_conn_init(struct connection *conn, void **xprt_ctx)
ctx->wait_event.tasklet->process = quic_conn_io_cb;
ctx->wait_event.tasklet->context = ctx;
ctx->wait_event.events = 0;
ctx->conn = conn;
HA_ATOMIC_STORE(&ctx->conn, conn);
ctx->subs = NULL;
ctx->xprt_ctx = NULL;
@ -4944,7 +4946,7 @@ static int qc_conn_init(struct connection *conn, void **xprt_ctx)
SSL_set_accept_state(ctx->ssl);
}
*xprt_ctx = ctx;
HA_ATOMIC_STORE(xprt_ctx, ctx);
/* Leave init state and start handshake */
conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;