BUG/MINOR: quic-be: CID double free upon qc_new_conn() failures
This issue may occur when qc_new_conn() fails after having allocated
and attached <conn_cid> to its tree. This is the case when compiling
haproxy against WolfSSL for an unknown reason at this time. In this
case the <conn_cid> is freed by pool_head_quic_connection_id(), then
freed again by quic_conn_release().
This bug arrived with this commit:
MINOR: quic-be: QUIC connection allocation adaptation (qc_new_conn())
So, the aim of this patch is to free <conn_cid> only for QUIC backends
and if it is not attached to its tree. This is the case when <conn_id>
local variable passed with NULL value to qc_new_conn() is then intialized
to the same <conn_cid> value.
This commit is contained in:
Frederic Lecaille
parent
dc3fb3a731
commit
869fb457ed
@ -1351,7 +1351,15 @@ struct quic_conn *qc_new_conn(const struct quic_version *qv, int ipv4,
|
||||
return qc;
|
||||
|
||||
err:
|
||||
pool_free(pool_head_quic_connection_id, conn_id);
|
||||
if (!l && !conn_id) {
|
||||
/* For QUIC clients, <conn_id> is locally used and initialized to <conn_cid>
|
||||
* value as soon as this latter is attached to the CIDs tree. It must
|
||||
* be freed only if it has not been attached to this tree. This is
|
||||
* quic_conn_release() which free this CID when it is attached to the tree.
|
||||
*/
|
||||
pool_free(pool_head_quic_connection_id, conn_id);
|
||||
}
|
||||
|
||||
quic_conn_release(qc);
|
||||
|
||||
/* Decrement global counters. Done only for errors happening before or
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user