BUG/MEDIUM: quic-be: do not initialize ->conn too early

This bug arrived with this commit:

   BUG/MEDIUM: quic: do not release BE quic-conn prior to upper conn

which added a BUG_ON(qc->conn) statement at the beginning of quic_conn_release().
It is triggered if the connection is not released before releasing the quic_conn.
But this is always the case for a backend quic_conn when its allocation from
qc_new_conn() fails.

Such crashes could be reproduced with -dMfail option. To reach them, the
memory allocations must fail. So, this is relatively rare, except on systems
with limited memory.

To fix this, simply set ->conn quic_conn struct member to a not null value
(the one passed as parameter) after the quic_conn allocation has succeeded.

No backport needed.

diff --git a/src/quic_conn.c b/src/quic_conn.c
index ab9557d097f588f11875263947ae91f75373507c..e9be5540eb21e316c9ecafa34d5e0ff8e97558af 100644 (file)
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -1145,7 +1145,8 @@ struct quic_conn *qc_new_conn(const struct quic_version *qv, int ipv4,
        qc->idle_timer_task = NULL;
 
        qc->xprt_ctx = NULL;
-       qc->conn = conn;
+        /* We must not free the quic-conn if upper conn is still allocated. */
+       qc->conn = NULL;
        qc->qcc = NULL;
        qc->app_ops = NULL;
        qc->path = NULL;
@@ -1355,6 +1356,7 @@ struct quic_conn *qc_new_conn(const struct quic_version *qv, int ipv4,
        if (!qc_new_isecs(qc, &qc->iel->tls_ctx, qc->original_version, dcid->data, dcid->len, !!l))
                goto err;
 
+       qc->conn = conn;
        /* Counters initialization */
        memset(&qc->cntrs, 0, sizeof qc->cntrs);