BUG/MINOR: quic: Missing QUIC connection path member initialization

This bug was introduced by this commit:
  MINOR: quic: Remove pool_zalloc() from qc_new_conn().

If ->path is not initialized to NULL value, and if a QUIC connection object
allocation has failed (from qc_new_conn()), haproxy could crash in
quic_conn_prx_cntrs_update() when dereferencing this QUIC connection member.

No backport needed.

diff --git a/src/quic_conn.c b/src/quic_conn.c
index c205c351ee6652ccb1ecc43caf921a0a246a010f..15a8d945babc87c642a376c9df61224d36f0f2a4 100644 (file)
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -5480,6 +5480,7 @@ static struct quic_conn *qc_new_conn(const struct quic_version *qv, int ipv4,
        qc->conn = NULL;
        qc->qcc = NULL;
        qc->app_ops = NULL;
+       qc->path = NULL;
 
        /* Keyupdate: required to safely call quic_tls_ku_free() from
         * quic_conn_release().
@@ -5652,7 +5653,11 @@ static inline void quic_conn_prx_cntrs_update(struct quic_conn *qc)
        HA_ATOMIC_ADD(&qc->prx_counters->sendto_err, qc->cntrs.sendto_err);
        HA_ATOMIC_ADD(&qc->prx_counters->sendto_err_unknown, qc->cntrs.sendto_err_unknown);
        HA_ATOMIC_ADD(&qc->prx_counters->sent_pkt, qc->cntrs.sent_pkt);
-       HA_ATOMIC_ADD(&qc->prx_counters->lost_pkt, qc->path->loss.nb_lost_pkt);
+       /* It is possible that ->path was not initialized. For instance if a
+        * QUIC connection allocation has failed.
+        */
+       if (qc->path)
+               HA_ATOMIC_ADD(&qc->prx_counters->lost_pkt, qc->path->loss.nb_lost_pkt);
        HA_ATOMIC_ADD(&qc->prx_counters->conn_migration_done, qc->cntrs.conn_migration_done);
        /* Stream related counters */
        HA_ATOMIC_ADD(&qc->prx_counters->data_blocked, qc->cntrs.data_blocked);