From 4309a6fbf80240b0880c5adf091f0075c3bcd53f Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Fri, 18 Apr 2025 18:02:48 +0200 Subject: [PATCH] BUG/MINOR: quic: do not crash on CRYPTO ncbuf alloc failure To handle out-of-order received CRYPTO frames, a ncbuf instance is allocated. This is done via the helper quic_get_ncbuf(). Buffer allocation was improperly checked. In case b_alloc() fails, it crashes due to a BUG_ON(). Fix this by removing it. The function now returns NULL on allocation failure, which is already properly handled in its caller qc_handle_crypto_frm(). This should fix the last reported crash from github issue #2935. This must be backported up to 2.6. --- include/haproxy/quic_conn.h | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/include/haproxy/quic_conn.h b/include/haproxy/quic_conn.h index 31f0c086f..3ba4b0938 100644 --- a/include/haproxy/quic_conn.h +++ b/include/haproxy/quic_conn.h @@ -127,7 +127,11 @@ static inline void quic_conn_mv_cids_to_cc_conn(struct quic_conn_closed *cc_conn } -/* Allocate the underlying required memory for non-contiguous buffer */ +/* Allocate the underlying required memory for non-contiguous buffer. + * Does nothing if buffer is already allocated. + * + * Returns the buffer instance or NULL on allocation failure. + */ static inline struct ncbuf *quic_get_ncbuf(struct ncbuf *ncbuf) { struct buffer buf = BUF_NULL; @@ -135,8 +139,8 @@ static inline struct ncbuf *quic_get_ncbuf(struct ncbuf *ncbuf) if (!ncb_is_null(ncbuf)) return ncbuf; - b_alloc(&buf, DB_MUX_RX); - BUG_ON(b_is_null(&buf)); + if (!b_alloc(&buf, DB_MUX_RX)) + return NULL; *ncbuf = ncb_make(buf.area, buf.size, 0); ncb_init(ncbuf, 0);