From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Fri, 2 Jun 2023 14:56:16 +0000 (+0200)
Subject: BUG/MINOR: quic: Possible crash when SSL session init fails
X-Git-Tag: v2.9-dev1~74
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=29a1d3679b704766eccd4935a4b7ff8fd16f7190;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic: Possible crash when SSL session init fails

This is due to the fact that qc->conn is never initialized before calling
qc_ssl_sess_init().

Must be backported as far as 2.6.
---

diff --git a/src/quic_conn.c b/src/quic_conn.c
index 459c22aded..f0a0df7cc2 100644
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -6733,7 +6733,7 @@ static int qc_ssl_sess_init(struct quic_conn *qc, SSL_CTX *ssl_ctx, SSL **ssl,
 	*ssl = SSL_new(ssl_ctx);
 	if (!*ssl) {
 		if (!retry--)
-			goto err;
+			goto leave;
 
 		pool_gc(NULL);
 		goto retry;
@@ -6744,7 +6744,7 @@ static int qc_ssl_sess_init(struct quic_conn *qc, SSL_CTX *ssl_ctx, SSL **ssl,
 		SSL_free(*ssl);
 		*ssl = NULL;
 		if (!retry--)
-			goto err;
+			goto leave;
 
 		pool_gc(NULL);
 		goto retry;
@@ -6754,10 +6754,6 @@ static int qc_ssl_sess_init(struct quic_conn *qc, SSL_CTX *ssl_ctx, SSL **ssl,
  leave:
 	TRACE_LEAVE(QUIC_EV_CONN_NEW, qc);
 	return ret;
-
- err:
-	qc->conn->err_code = CO_ER_SSL_NO_MEM;
-	goto leave;
 }
 
 /* Allocate the ssl_sock_ctx from connection <qc>. This creates the tasklet