BUG/MINOR: quic: Malforme probing packet with already acked frames

If a packet building was asked to probe the peer with frames which have just been acked, the frames building run by qc_build_frms() could be cancelled returning 0 by qc_stream_frm_is_acked() which ckeck that these frames have been already acknowledged. In this case the packet building run by qc_do_build_pkt() is not interrupted, leading to the build of an empty packet which should be ack-eliciting. This is a bug detected by the BUG_ON() statement in qc_do_build_pk(): BUG_ON(qel->pktns->tx.pto_probe && !(pkt->flags & QUIC_FL_TX_PACKET_ACK_ELICITING)); Thank you to @Tristan971 for having reported this issue in GH #2709 This is an old bug which must be backported as far as 2.6.
haproxytech · Nov 25, 2024 · ebe8e03 · ebe8e03
1 parent 22bd92a
commit ebe8e03
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/src/quic_tx.c b/src/quic_tx.c
@@ -2012,7 +2012,20 @@ static int qc_do_build_pkt(unsigned char *pos, const unsigned char *end,
 				goto comp_pkt_len;
 			}
 
-			if (!ack_frm_len && !qel->pktns->tx.pto_probe)
+			if (qel->pktns->tx.pto_probe) {
+				/* If a probing packets was asked and could not be built,
+				 * this is not because there was not enough room, but due to
+				 * its frames which were already acknowledeged.
+				 * (see qc_stream_frm_is_acked()) called by qc_build_frms().
+				 *
+				 * That said, the consequence must be the same: cancelling
+				 * the packet building as if there was not enough room.
+				 */
+				 qel->pktns->tx.pto_probe--;
+				 goto no_room;
+			}
+
+			if (!ack_frm_len)
 				goto no_room;
 		}
 	}