commit 7b5d9b1f03cef92bda6cd2a3be93b9bbbfd61734
author Frédéric Lécaille <flecaille@haproxy.com> Mon Nov 28 17:21:45 2022 +0100
committer Amaury Denoyelle <adenoyelle@haproxy.com> Tue Nov 29 15:19:16 2022 +0100
tree 04b675257f4cb717a0b37be3f69c0b44d0cf8a0c
parent 2526a6aca5c6f453571f2ccdcea7e2ab66aeea67

BUG/MINOR: quic: Endless loop during retransmissions

qc_dgrams_retransmit() could reuse the same local list and could splice it two
times to the packet number space list of frame to be send/resend. This creates a
loop in this list and makes qc_build_frms() possibly endlessly loop when trying
to build frames from the packet number space list of frames. Then haproxy aborts.

This issue could be easily reproduced patching qc_build_frms() function to set <dlen>
variable value to 0 after having built at least 10 CRYPTO frames and using ngtcp2
as client with 30% packet loss in both direction.

Thank you to @gabrieltz for having reported this issue in GH #1903.

Must be backported to 2.6.

src/quic_conn.c

diff --git a/src/quic_conn.c b/src/quic_conn.c
index 4edd5f9..d54c3b5 100644
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -4243,10 +4243,10 @@
 		int i;
 
 		if (hqel->pktns->flags & QUIC_FL_PKTNS_PROBE_NEEDED) {
-			struct list frms1 = LIST_HEAD_INIT(frms1);
-
 			hqel->pktns->tx.pto_probe = 0;
 			for (i = 0; i < QUIC_MAX_NB_PTO_DGRAMS; i++) {
+				struct list frms1 = LIST_HEAD_INIT(frms1);
+
 				qc_prep_fast_retrans(qc, hqel, &frms1, NULL);
 				TRACE_DEVEL("Avail. ack eliciting frames", QUIC_EV_CONN_FRMLIST, qc, &frms1);
 				if (!LIST_ISEMPTY(&frms1)) {