From: Frederic Lecaille Date: Thu, 17 Oct 2024 05:38:14 +0000 (+0200) Subject: BUG/MINOR: quic: avoid leaking post handshake frames X-Git-Tag: v3.0.6~53 X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=b47a34ce8dcba5f6ead65dff98eeea41161f01f1;p=haproxy-3.0.git BUG/MINOR: quic: avoid leaking post handshake frames This bug came with this commit: f627b92 BUG/MEDIUM: quic: always validate sender address on 0-RTT If an error happens in quic_build_post_handshake_frames() during the code exexuted for th NEW_TOKEN frame allocation, some could leak because of the wrong label used to interrupt this function asap. Replace the "goto leave" by "goto err" to deallocated such frames to fix this issue. Must be backported as far as 2.9. (cherry picked from commit 19aa320f640f701544c3441787da1577a2479590) Signed-off-by: Christopher Faulet --- diff --git a/src/quic_conn.c b/src/quic_conn.c index 1244f03..a8650fe 100644 --- a/src/quic_conn.c +++ b/src/quic_conn.c @@ -461,7 +461,7 @@ int quic_stateless_reset_token_cpy(unsigned char *pos, size_t len, */ int quic_build_post_handshake_frames(struct quic_conn *qc) { - int ret = 0, max; + int ret = 0, max = 0; struct quic_enc_level *qel; struct quic_frame *frm, *frmbak; struct list frm_list = LIST_HEAD_INIT(frm_list); @@ -487,7 +487,7 @@ int quic_build_post_handshake_frames(struct quic_conn *qc) frm = qc_frm_alloc(QUIC_FT_NEW_TOKEN); if (!frm) { TRACE_ERROR("frame allocation error", QUIC_EV_CONN_IO_CB, qc); - goto leave; + goto err; } new_token_frm_len = @@ -495,7 +495,7 @@ int quic_build_post_handshake_frames(struct quic_conn *qc) sizeof(frm->new_token.data), &qc->peer_addr); if (!new_token_frm_len) { TRACE_ERROR("token generation failed", QUIC_EV_CONN_IO_CB, qc); - goto leave; + goto err; } BUG_ON(new_token_frm_len != sizeof(frm->new_token.data));