tcp: Store the owner connections for flags framesHEAD2025_09_11.6cbccccmaster

There is an issue reported by Volker Diels-Grabsch and Boleyn Su.
A segmentation fault occurs when executing the following command:

	(sleep 0.1; ssh -p 22000 127.0.0.1) & passt -f -t 22000:22

It's caused by commit 78da088f7bab ("tcp: unify payload and flags
l2 frames array"). Fix it by storing the owner connections of flags
frames into tcp_frame_conns[] array.

Reported-by: Volker Diels-Grabsch <v@njh.eu>
Reported-by: Boleyn Su <boleyn.su@gmail.com>
Suggested-by: David Gibson <david@gibson.dropbear.id.au>
Fixes: 78da088f7bab ("tcp: unify payload and flags l2 frames array")
Signed-off-by: Yumei Huang <yuhuang@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

1 files changed, 3 insertions, 2 deletions

diff --git a/tcp_buf.c b/tcp_buf.c
index 49bddbe..a493b5a 100644
--- a/tcp_buf.c
+++ b/tcp_buf.c
@@ -209,13 +209,14 @@ int tcp_buf_send_flag(const struct ctx *c, struct tcp_tap_conn *conn, int flags)
 	if (ret <= 0)
 		return ret;
 
-	tcp_payload_used++;
+	tcp_frame_conns[tcp_payload_used++] = conn;
 	l4len = optlen + sizeof(struct tcphdr);
 	iov[TCP_IOV_PAYLOAD].iov_len = l4len;
 	tcp_l2_buf_fill_headers(conn, iov, NULL, seq, false);
 
 	if (flags & DUP_ACK) {
-		struct iovec *dup_iov = tcp_l2_iov[tcp_payload_used++];
+		struct iovec *dup_iov = tcp_l2_iov[tcp_payload_used];
+		tcp_frame_conns[tcp_payload_used++] = conn;
 
 		memcpy(dup_iov[TCP_IOV_TAP].iov_base, iov[TCP_IOV_TAP].iov_base,
 		       iov[TCP_IOV_TAP].iov_len);