BUG/MAJOR: quic: Possible crash with full congestion control window
This commit reverts this one:
"d5066dd9d BUG/MEDIUM: quic: qc_prep_app_pkts() retries on qc_build_pkt() failures"
After having filled the congestion control window, qc_build_pkt() always fails.
Then depending on the relative position of the writer and reader indexes for the
TX buffer, this could lead this function to try to reuse the buffer even if not full.
In such case, we do not always mark the end of the data in this TX buffer. This
is something the reader cannot understand: it reads a false datagram length,
then a wrong packet address from the TX buffer, leading to an invalid pointer
dereferencing.
diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index bfe888f..34fc084 100644
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -2528,7 +2528,11 @@
case -2:
goto err;
case -1:
- goto stop_build;
+ /* As we provide qc_build_pkt() with an enough big buffer to fulfill an
+ * MTU, we are here because of the congestion control window. There is
+ * no need to try to reuse this buffer.
+ */
+ goto out;
default:
break;
}
@@ -2542,7 +2546,6 @@
qc_set_dg(cbuf, pkt->len, pkt);
}
- stop_build:
/* Reset <wr> writer index if in front of <rd> index */
if (end_buf - pos < (int)qc->path->mtu + dg_headlen) {
int rd = HA_ATOMIC_LOAD(&cbuf->rd);
@@ -5204,6 +5207,10 @@
*
* Return -2 if the packet could not be allocated or encrypted for any reason,
* -1 if there was not enough room to build a packet.
+ * XXX NOTE XXX
+ * If you provide provide qc_build_pkt() with a big enough buffer to build a packet as big as
+ * possible (to fill an MTU), the unique reason why this function may fail is the congestion
+ * control window limitation.
*/
static struct quic_tx_packet *qc_build_pkt(unsigned char **pos,
const unsigned char *buf_end,