BUG/MINOR: quic: Frames added to packets even if not built.
Several frames could remain as not build into <frm_list> built by qc_build_frms()
after having stopped at the first building error. So only one frame was reinserted in
the frame list passed as parameter to qc_do_build_pkt(). Then <frm_list> was
spliced to the packet frame list even its frames were not built, nor attached to
any packet. Such frames had their ->pkt member set to NULL, but considered as
built, then sent leading to a crash in qc_release_frm() where ->pkt is dereferenced.
This issue was again reported by useful traces provided by Tristan in GH #1808.
Must be backported to 2.6.
diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index f5dedca..99f07df 100644
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -6806,14 +6806,12 @@
ssize_t room = end - pos;
TRACE_DEVEL("Not enough room", QUIC_EV_CONN_TXPKT,
qc, NULL, NULL, &room);
- /* TODO: this should not have happened except if we
- * are limited by the congestion control.
- * Note that <cf> was added from <frm_list> to <frms> list by
+ /* Note that <cf> was added from <frms> to <frm_list> list by
* qc_build_frms().
*/
LIST_DELETE(&cf->list);
LIST_INSERT(frms, &cf->list);
- break;
+ continue;
}
quic_tx_packet_refinc(pkt);