Fix coalesced packet processing
Make sure we correctly process all coalesced packets without modifying the collection while we're iterating on it.
This issue was found by clusterfuzz:
https://bugs.chromium.org/p/chromium/issues/detail?id=990001
I've confirmed that the new test fails with the old code and passes with the fix, and that the fuzzer no longer crashes.
gfe-relnote: fix coalesced packet processing, protected by disabled v99 flag
PiperOrigin-RevId: 261433275
Change-Id: Iea1edf70fc84873fc7fe2f05c749759b2c5a6c9b
diff --git a/quic/core/quic_connection.cc b/quic/core/quic_connection.cc
index 0b648e2..0c33604 100644
--- a/quic/core/quic_connection.cc
+++ b/quic/core/quic_connection.cc
@@ -2620,15 +2620,12 @@
void QuicConnection::MaybeProcessCoalescedPackets() {
bool processed = false;
- for (const auto& packet : coalesced_packets_) {
- if (!connected_) {
- return;
- }
+ while (connected_ && !coalesced_packets_.empty()) {
+ std::unique_ptr<QuicEncryptedPacket> packet =
+ std::move(coalesced_packets_.front());
+ coalesced_packets_.pop_front();
- // }
- // while (connected_ && !coalesced_packets_.empty()) {
QUIC_DVLOG(1) << ENDPOINT << "Processing coalesced packet";
- // QuicEncryptedPacket* packet = coalesced_packets_.front().get();
if (framer_.ProcessPacket(*packet)) {
processed = true;
} else {
@@ -2644,9 +2641,7 @@
}
}
}
- // coalesced_packets_.pop_front();
}
- coalesced_packets_.clear();
if (processed) {
MaybeProcessUndecryptablePackets();
}
