BUG/MINOR: mux-quic: remove qcs from opening-list on free

qcs instances for bidirectional streams are inserted in
<qcc.opening_list>. It is removed from the list once a full HTTP request
has been parsed. This is required to implement http-request timeout.

If a qcs instance is freed before receiving a full HTTP request, it must
be removed from the <qcc.opening_list>. Else a segfault will occur in
qcc_refresh_timeout() when accessing a dangling pointer.

For the moment this bug was not reproduced in production. This is
because there exists only few rare cases where a qcs is freed before
HTTP request parsing. However, as error detection will be improved on
H3, this will occur more frequently in the near future.

This must be backported up to 2.6.

diff --git a/src/mux_quic.c b/src/mux_quic.c
index 9d7bcf5f967ec799374d9c200a00a94e7939d504..04037a0f499e4c4333dff2e20473efed952b50e7 100644 (file)
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@@ -155,6 +155,9 @@ static void qcs_free(struct qcs *qcs)
 
        TRACE_ENTER(QMUX_EV_QCS_END, qcc->conn, qcs);
 
+       if (LIST_INLIST(&qcs->el_opening))
+               LIST_DELETE(&qcs->el_opening);
+
        qc_free_ncbuf(qcs, &qcs->rx.ncbuf);
        b_free(&qcs->tx.buf);