BUG/MEDIUM: mux-quic: properly release conn-stream on detach

On qc_detach(), the qcs must cleared the conn-stream context and set its
cs pointer to NULL. This prevents the qcs to point to a dangling
reference.

Without this, a SEGFAULT may occurs in qc_wake_some_streams() when
accessing an already detached conn-stream instance through a qcs.

Here is the SEGFAULT observed on haproxy.org.
 Program terminated with signal 11, Segmentation fault.
 1234                            else if (qcs->cs->data_cb->wake) {
 (gdb) p qcs.cs.data_cb
 $1 = (const struct data_cb *) 0x0

This can happens since the following patch :
 commit fe035eca3a24ea0f031fdcdad23809bea5de32e4
 MEDIUM: mux-quic: report errors on conn-streams

diff --git a/src/mux_quic.c b/src/mux_quic.c
index b9131890dd4e3622e15295347f183b3f65c434a3..3e32388919e3cbfd07f88a8cb605b84b161574c4 100644 (file)
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@@ -1061,6 +1061,8 @@ static void qc_detach(struct conn_stream *cs)
 
        TRACE_ENTER(QMUX_EV_STRM_END, qcc->conn, qcs);
 
+       cs->ctx = NULL;
+       qcs->cs = NULL;
        --qcc->nb_cs;
 
        if ((b_data(&qcs->tx.buf) || qcs->tx.offset > qcs->tx.sent_offset) &&