BUG/MEDIUM: quic: always remove the connection from the accept list on close
Fred managed to reproduce a crash showing a corrupted accept_list when
firing thousands of concurrent picoquicdemo clients to a same instance.
It may happen if the connection was placed into the accept_list and
immediately closed before being processed (e.g. on error or t/o ?).
In any case the quic_conn_release() function should always detach a
connection to be deleted from any list, like it does for other lists,
so let's add an MT_LIST_DELETE() here.
This should be backported to 2.6.
diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index 87396ea..a971698 100644
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -4084,6 +4084,11 @@
/* We must not free the quic-conn if the MUX is still allocated. */
BUG_ON(qc->mux_state == QC_MUX_READY);
+ /* in the unlikely (but possible) case the connection was just added to
+ * the accept_list we must delete it from there.
+ */
+ MT_LIST_DELETE(&qc->accept_list);
+
/* free remaining stream descriptors */
node = eb64_first(&qc->streams_by_id);
while (node) {