Orphan packets from qrx

It may occur that the qrx we allocate in port_default_packet handler to
do AEAD validation isn't the one the channel ultimately uses (like if we
turn off address validation).  In that event, we need to ensure that
anything we have on that qrx isn't returned to its free list to avoid
early freeing when we free the qrx at the end of
port_default_packet_handler, while those frames are still pending on the
channel qrx

Reviewed-by: Tim Hudson <[email protected]>
Reviewed-by: Saša Nedvědický <[email protected]>
(Merged from openssl#27004)

Author: nhorman

include/internal/quic_record_rx.h

@@ -259,6 +259,12 @@ int ossl_qrx_read_pkt(OSSL_QRX *qrx, OSSL_QRX_PKT **pkt);
  */
 void ossl_qrx_pkt_release(OSSL_QRX_PKT *pkt);
 
+/*
+ * Like ossl_qrx_pkt_release, but just ensures that the refcount is dropped
+ * on this qrx_pkt, and ensure its not on any list
+ */
+void ossl_qrx_pkt_orphan(OSSL_QRX_PKT *pkt);
+
 /* Increments the reference count for the given packet. */
 void ossl_qrx_pkt_up_ref(OSSL_QRX_PKT *pkt);
 

ssl/quic/quic_record_rx.c

@@ -279,7 +279,7 @@ void ossl_qrx_inject_pkt(OSSL_QRX *qrx, OSSL_QRX_PKT *pkt)
      * port_default_packet_handler() uses ossl_qrx_read_pkt()
      * to get pkt. Such packet has refcount 1.
      */
-    ossl_qrx_pkt_release(pkt);
+    ossl_qrx_pkt_orphan(pkt);
     if (ossl_assert(rxe->refcount == 0))
         ossl_list_rxe_insert_tail(&qrx->rx_pending, rxe);
 }
@@ -1473,6 +1473,19 @@ void ossl_qrx_pkt_release(OSSL_QRX_PKT *pkt)
         qrx_recycle_rxe(pkt->qrx, rxe);
 }
 
+void ossl_qrx_pkt_orphan(OSSL_QRX_PKT *pkt)
+{
+    RXE *rxe;
+
+    if (pkt == NULL)
+        return;
+    rxe = (RXE *)pkt;
+    assert(rxe->refcount > 0);
+    rxe->refcount--;
+    assert(ossl_list_rxe_prev(rxe) == NULL && ossl_list_rxe_next(rxe) == NULL);
+    return;
+}
+
 void ossl_qrx_pkt_up_ref(OSSL_QRX_PKT *pkt)
 {
     RXE *rxe = (RXE *)pkt;