mirror of
http://git.haproxy.org/git/haproxy.git
synced 2026-02-09 19:12:29 +02:00
131f2d93e1
MUX uses qc_send_mux() function to send frames list over a QUIC connection. On network congestion, the lower layer will reject some frames and it is the MUX responsibility to free them. There is another category of error which are when the sendto() fails. In this case, the lower layer will free the packet and its attached frames and the MUX should not touch them. This model was violated by MUX layer for RESET_STREAM and STOP_SENDING emission. In this case, frames were freed every time by the MUX on error. This causes a double free error which lead to a crash. Fix this by always ensuring if frames were rejected by the lower layer before freeing them on the MUX. This is done simply by checking if frame list is not empty, as RESET_STREAM and STOP_SENDING are sent individually. This bug was never reproduced in production. Thus, it is labelled as MINOR. This must be backported up to 2.7.