From: Amaury Denoyelle Date: Mon, 17 Feb 2025 16:15:49 +0000 (+0100) Subject: BUG/MINOR: quic: prevent crash on conn access after MUX init failure X-Git-Tag: v3.2-dev6~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2cdc4695cb82fce46d67cef17300ec7cf978906e;p=thirdparty%2Fhaproxy.git BUG/MINOR: quic: prevent crash on conn access after MUX init failure Initially, QUIC-MUX was responsible to reset quic_conn member to NULL when MUX was released. This was performed via qcc_release(). However, qcc_release() is also used on qmux_init() failure. In this case, connection must be freed via its session, so QCC member is resetted to NULL prior to qcc_release(), which prevents quic_conn member to also be resetted. As the connection is freed soon after, quic_conn is a dangling pointer, which may cause crashes. This bug should be very rare as first it implies that QUIC-MUX initialization has failed (for example due to a memory alloc error). Also, member is rarely used by quic_conn instance. In fact, the only reproducible crash was done with QUIC traces activated, as in this case connection is accessed via quic_conn under __trace_enabled() function. To fix this, detach connection from quic_conn via the XPRT layer instead of the MUX. More precisely, this is performed via quic_close(). This should ensure that it will always be conducted, either on normal connection closure, but also after special conditions such as MUX init failure. This should be backported up to 2.6. --- diff --git a/src/mux_quic.c b/src/mux_quic.c index ebe37fe10..d3beee730 100644 --- a/src/mux_quic.c +++ b/src/mux_quic.c @@ -2888,7 +2888,6 @@ static void qcc_release(struct qcc *qcc) if (conn) { LIST_DEL_INIT(&conn->stopping_list); - conn->handle.qc->conn = NULL; conn->mux = NULL; conn->ctx = NULL; diff --git a/src/xprt_quic.c b/src/xprt_quic.c index d6d1a1670..dcca43509 100644 --- a/src/xprt_quic.c +++ b/src/xprt_quic.c @@ -25,6 +25,8 @@ static void quic_close(struct connection *conn, void *xprt_ctx) TRACE_ENTER(QUIC_EV_CONN_CLOSE, qc); + qc->conn = NULL; + /* Next application data can be dropped. */ qc->mux_state = QC_MUX_RELEASED;