From ebe8e03bb33495fe6d8023cab2849a3c19c4165c Mon Sep 17 00:00:00 2001 From: Frederic Lecaille Date: Mon, 25 Nov 2024 11:14:20 +0100 Subject: [PATCH] BUG/MINOR: quic: Malforme probing packet with already acked frames If a packet building was asked to probe the peer with frames which have just been acked, the frames building run by qc_build_frms() could be cancelled returning 0 by qc_stream_frm_is_acked() which ckeck that these frames have been already acknowledged. In this case the packet building run by qc_do_build_pkt() is not interrupted, leading to the build of an empty packet which should be ack-eliciting. This is a bug detected by the BUG_ON() statement in qc_do_build_pk(): BUG_ON(qel->pktns->tx.pto_probe && !(pkt->flags & QUIC_FL_TX_PACKET_ACK_ELICITING)); Thank you to @Tristan971 for having reported this issue in GH #2709 This is an old bug which must be backported as far as 2.6. --- src/quic_tx.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/quic_tx.c b/src/quic_tx.c index 37f46fe73..9a0898e5d 100644 --- a/src/quic_tx.c +++ b/src/quic_tx.c @@ -2012,7 +2012,20 @@ static int qc_do_build_pkt(unsigned char *pos, const unsigned char *end, goto comp_pkt_len; } - if (!ack_frm_len && !qel->pktns->tx.pto_probe) + if (qel->pktns->tx.pto_probe) { + /* If a probing packets was asked and could not be built, + * this is not because there was not enough room, but due to + * its frames which were already acknowledeged. + * (see qc_stream_frm_is_acked()) called by qc_build_frms(). + * + * That said, the consequence must be the same: cancelling + * the packet building as if there was not enough room. + */ + qel->pktns->tx.pto_probe--; + goto no_room; + } + + if (!ack_frm_len) goto no_room; } }