MINOR: mux-quic: do not set buffer for empty STREAM frame

Previous patch fixes an issue occurring with empty STREAM frames without payload. The crash was hidden in part because buf/data fields of qf_stream were set even if no payload is referenced. This was not the true cause of the crash but to ease future debugging, a STREAM frame built with no payload now has its buf and data fields set to NULL. This should be backported up to 2.6.
2026-04-24 07:37:53 -04:00 · 2023-04-25 16:39:32 +02:00 · 2023-04-25 16:39:32 +02:00 · 42c5b75cac
commit 42c5b75cac
parent 19eaf88fda
1 changed files with 13 additions and 2 deletions
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@ -1530,11 +1530,19 @@ static int qcs_build_stream_frm(struct qcs *qcs, struct buffer *out, char fin,

 	frm->stream.stream = qcs->stream;
 	frm->stream.id = qcs->id;
-	frm->stream.buf = out;
-	frm->stream.data = (unsigned char *)b_peek(out, head);
 	frm->stream.offset.key = 0;
 	frm->stream.dup = 0;

+	if (total) {
+		frm->stream.buf = out;
+		frm->stream.data = (unsigned char *)b_peek(out, head);
+	}
+	else {
+		/* Empty STREAM frame. */
+		frm->stream.buf = NULL;
+		frm->stream.data = NULL;
+	}
+
 	/* FIN is positioned only when the buffer has been totally emptied. */
 	if (fin)
 		frm->type |= QUIC_STREAM_FRAME_TYPE_FIN_BIT;
@ -1544,6 +1552,9 @@ static int qcs_build_stream_frm(struct qcs *qcs, struct buffer *out, char fin,
 		frm->stream.offset.key = qcs->tx.sent_offset;
 	}

+	/* Always set length bit as we do not know if there is remaining frames
+	 * in the final packet after this STREAM.
+	 */
 	frm->type |= QUIC_STREAM_FRAME_TYPE_LEN_BIT;
 	frm->stream.len = total;