nginx: src/event/quic/ngx_event_quic

comparison src/event/quic/ngx_event_quic_connid.c @ 8911:b09f055daa4e quic

QUIC: fixed handling of RETIRE_CONNECTION_ID frame. Previously, the retired socket was not closed if it didn't match active or backup. New sockets could not be created (due to count limit), since retired socket was not closed before calling ngx_quic_create_sockets(). When replacing retired socket, new socket is only requested after closing old one, to avoid hitting the limit on the number of active connection ids. Together with added restrictions, this fixes an issue when a current socket could be closed during migration, recreated and erroneously reused leading to null pointer dereference.

author	Vladimir Homutov <vl@nginx.com>
date	Thu, 18 Nov 2021 14:19:36 +0300
parents	f8848f5a1014
children	9680f0badc95

comparison

equal deleted inserted replaced

-:f8848f5a1014
+:b09f055daa4e
 qsock = ngx_quic_find_socket(c, f->sequence_number);
 if (qsock == NULL) {
 return NGX_OK;
 }
+ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+"quic socket #%uL is retired", qsock->sid.seqnum);
+/* check if client is willing to retire sid we have in use */
 if (qsock->sid.seqnum == qc->socket->sid.seqnum) {
 tmp = &qc->socket;
 } else if (qc->backup && qsock->sid.seqnum == qc->backup->sid.seqnum) {
 tmp = &qc->backup;
 } else {
-tmp = NULL;
-}
+ngx_quic_close_socket(c, qsock);
+/* restore socket count up to a limit after deletion */
+if (ngx_quic_create_sockets(c) != NGX_OK) {
+return NGX_ERROR;
+}
+return NGX_OK;
+}
+/* preserve path/cid from retired socket */
+path = qsock->path;
+cid = qsock->cid;
+/* ensure that closing_socket will not drop path and cid */
+path->refcnt++;
+cid->refcnt++;
+ngx_quic_close_socket(c, qsock);
+/* restore original values */
+path->refcnt--;
+cid->refcnt--;
+/* restore socket count up to a limit after deletion */
 if (ngx_quic_create_sockets(c) != NGX_OK) {
-return NGX_ERROR;
+goto failed;
 }
-if (tmp) {
+qsock = ngx_quic_get_unconnected_socket(c);
-/* replace socket in use (active or backup) */
+if (qsock == NULL) {
+qc->error = NGX_QUIC_ERR_CONNECTION_ID_LIMIT_ERROR;
-ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0,
+qc->error_reason = "not enough server IDs";
-"quic %s socket #%uL:%uL:%uL retired",
+goto failed;
-(*tmp) == qc->socket ? "active" : "backup",
+}
-(*tmp)->sid.seqnum, (*tmp)->cid->seqnum,
-(*tmp)->path->seqnum);
+ngx_quic_connect(c, qsock, path, cid);
-qsock = ngx_quic_get_unconnected_socket(c);
+ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0,
-if (qsock == NULL) {
+"quic %s socket is now #%uL:%uL:%uL (%s)",
-return NGX_ERROR;
+(*tmp) == qc->socket ? "active" : "backup",
-}
+qsock->sid.seqnum, qsock->cid->seqnum,
+qsock->path->seqnum,
-path = (*tmp)->path;
+ngx_quic_path_state_str(qsock->path));
-cid = (*tmp)->cid;
+/* restore active/backup pointer in quic connection */
-ngx_quic_connect(c, qsock, path, cid);
+*tmp = qsock;
+return NGX_OK;
-ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0,
-"quic %s socket is now #%uL:%uL:%uL (%s)",
+failed:
-(*tmp) == qc->socket ? "active" : "backup",
-qsock->sid.seqnum, qsock->cid->seqnum,
+/*
-qsock->path->seqnum,
+* socket was closed, path and cid were preserved artifically
-ngx_quic_path_state_str(qsock->path));
+* to be reused, but it didn't happen, thus unref here
+*/
-ngx_quic_close_socket(c, *tmp); /* no longer used */
+ngx_quic_unref_path(c, path);
-*tmp = qsock;
+ngx_quic_unref_client_id(c, cid);
-}
+return NGX_ERROR;
-return NGX_OK;
 }
 ngx_int_t
 ngx_quic_create_sockets(ngx_connection_t *c)

Mercurial > hg > nginx

comparison src/event/quic/ngx_event_quic_connid.c @ 8911:b09f055daa4e quic