From 9a308a89a4f43ccfdcd9923e8951081a404b5fdc Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Fri, 7 Mar 2025 16:35:47 -0500 Subject: [PATCH] Orphan packets from qrx MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It may occur that the qrx we allocate in port_default_packet handler to do AEAD validation isn't the one the channel ultimately uses (like if we turn off address validation). In that event, we need to ensure that anything we have on that qrx isn't returned to its free list to avoid early freeing when we free the qrx at the end of port_default_packet_handler, while those frames are still pending on the channel qrx Reviewed-by: Tim Hudson Reviewed-by: Saša Nedvědický (Merged from https://github.com/openssl/openssl/pull/27004) --- include/internal/quic_record_rx.h | 6 ++++++ ssl/quic/quic_record_rx.c | 15 ++++++++++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/include/internal/quic_record_rx.h b/include/internal/quic_record_rx.h index 8db7f3fc0d..27ac309b30 100644 --- a/include/internal/quic_record_rx.h +++ b/include/internal/quic_record_rx.h @@ -259,6 +259,12 @@ int ossl_qrx_read_pkt(OSSL_QRX *qrx, OSSL_QRX_PKT **pkt); */ void ossl_qrx_pkt_release(OSSL_QRX_PKT *pkt); +/* + * Like ossl_qrx_pkt_release, but just ensures that the refcount is dropped + * on this qrx_pkt, and ensure its not on any list + */ +void ossl_qrx_pkt_orphan(OSSL_QRX_PKT *pkt); + /* Increments the reference count for the given packet. */ void ossl_qrx_pkt_up_ref(OSSL_QRX_PKT *pkt); diff --git a/ssl/quic/quic_record_rx.c b/ssl/quic/quic_record_rx.c index 29625118ae..e4ee26c9d1 100644 --- a/ssl/quic/quic_record_rx.c +++ b/ssl/quic/quic_record_rx.c @@ -279,7 +279,7 @@ void ossl_qrx_inject_pkt(OSSL_QRX *qrx, OSSL_QRX_PKT *pkt) * port_default_packet_handler() uses ossl_qrx_read_pkt() * to get pkt. Such packet has refcount 1. */ - ossl_qrx_pkt_release(pkt); + ossl_qrx_pkt_orphan(pkt); if (ossl_assert(rxe->refcount == 0)) ossl_list_rxe_insert_tail(&qrx->rx_pending, rxe); } @@ -1473,6 +1473,19 @@ void ossl_qrx_pkt_release(OSSL_QRX_PKT *pkt) qrx_recycle_rxe(pkt->qrx, rxe); } +void ossl_qrx_pkt_orphan(OSSL_QRX_PKT *pkt) +{ + RXE *rxe; + + if (pkt == NULL) + return; + rxe = (RXE *)pkt; + assert(rxe->refcount > 0); + rxe->refcount--; + assert(ossl_list_rxe_prev(rxe) == NULL && ossl_list_rxe_next(rxe) == NULL); + return; +} + void ossl_qrx_pkt_up_ref(OSSL_QRX_PKT *pkt) { RXE *rxe = (RXE *)pkt;