1berry/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

BUG/MINOR: quic: do not crash on CRYPTO ncbuf alloc failure

Browse Source 
To handle out-of-order received CRYPTO frames, a ncbuf instance is
allocated. This is done via the helper quic_get_ncbuf().

Buffer allocation was improperly checked. In case b_alloc() fails, it
crashes due to a BUG_ON(). Fix this by removing it. The function now
returns NULL on allocation failure, which is already properly handled in
its caller qc_handle_crypto_frm().

This should fix the last reported crash from github issue #2935.

This must be backported up to 2.6.
This commit is contained in:
Amaury Denoyelle 2025-04-18 18:02:48 +02:00
parent acd372d6ac
commit 4309a6fbf8
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
include/haproxy/quic_conn.h
View File

@ -127,7 +127,11 @@ static inline void quic_conn_mv_cids_to_cc_conn(struct quic_conn_closed *cc_conn
} }
/* Allocate the underlying required memory for <ncbuf> non-contiguous buffer */ /* Allocate the underlying required memory for <ncbuf> non-contiguous buffer.
* Does nothing if buffer is already allocated.
*
* Returns the buffer instance or NULL on allocation failure.
*/
static inline struct ncbuf *quic_get_ncbuf(struct ncbuf *ncbuf) static inline struct ncbuf *quic_get_ncbuf(struct ncbuf *ncbuf)
{ {
struct buffer buf = BUF_NULL; struct buffer buf = BUF_NULL;
@ -135,8 +139,8 @@ static inline struct ncbuf *quic_get_ncbuf(struct ncbuf *ncbuf)
if (!ncb_is_null(ncbuf)) if (!ncb_is_null(ncbuf))
return ncbuf; return ncbuf;
b_alloc(&buf, DB_MUX_RX); if (!b_alloc(&buf, DB_MUX_RX))
BUG_ON(b_is_null(&buf)); return NULL;
*ncbuf = ncb_make(buf.area, buf.size, 0); *ncbuf = ncb_make(buf.area, buf.size, 0);
ncb_init(ncbuf, 0); ncb_init(ncbuf, 0);