BUG/MEDIUM: quic: prevent crash due to CRYPTO parsing error

a-denoyelle · a-denoyelle · commit 2975e8805d9e · 2024-11-08T15:19:57.000+01:00
A packet which contains several splitted and out of order CRYPTO frames may be parsed multiple times to ensure it can be handled via ncbuf. Only 3 iterations can be performed to prevent excessive CPU usage. There is a risk of crash if packet parsing is interrupted after maximum iterations is reached, or no progress can be made on the ncbuf. This is because <frm> may be dangling after list_for_each_entry_safe() The crash occurs on qc_frm_free() invokation, on error path of qc_parse_pkt_frms(). To fix it, always reset frm to NULL after list_for_each_entry_safe() to ensure it is not dangling. This should fix new report on github isue #2776. This regression has been triggered by the following patch : 1767196 BUG/MINOR: quic: repeat packet parsing to deal with fragmented CRYPTO As such, it must be backported up to 2.6, after the above patch.
diff --git a/src/quic_rx.c b/src/quic_rx.c
@@ -1079,6 +1079,12 @@ static int qc_parse_pkt_frms(struct quic_conn *qc, struct quic_rx_packet *pkt,
 				break;
 			}
 		}
+
+		/* Always reset <frm> as it may be dangling after
+		 * list_for_each_entry_safe() usage. Especially necessary to
+		 * prevent a crash if loop is interrupted on max iteration.
+		 */
+		frm = NULL;
 	}
 
 	/* Error should be returned if some frames cannot be parsed. */

Original file line number	Diff line number	Diff line change
`@@ -1079,6 +1079,12 @@ static int qc_parse_pkt_frms(struct quic_conn qc, struct quic_rx_packet pkt,`
`1079`	`1079`	`break;`
`1080`	`1080`	`}`
`1081`	`1081`	`}`
	`1082`	`+`
	`1083`	`+ /* Always reset <frm> as it may be dangling after`
	`1084`	`+ * list_for_each_entry_safe() usage. Especially necessary to`
	`1085`	`+ * prevent a crash if loop is interrupted on max iteration.`
	`1086`	`+ */`
	`1087`	`+ frm = NULL;`
`1082`	`1088`	`}`
`1083`	`1089`
`1084`	`1090`	`/* Error should be returned if some frames cannot be parsed. */`