From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Wed, 2 Oct 2024 08:21:02 +0000 (+0200)
Subject: BUG/MINOR: mux-quic: fix crash on qcc_init() early return
X-Git-Tag: v3.1-dev9~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=58b7a72d0701310933d7d52549bdfd40ff14e273;p=thirdparty%2Fhaproxy.git

BUG/MINOR: mux-quic: fix crash on qcc_init() early return

qcc_release() may be used in case qcc_init() cannot complete. In this
case, connection instance is NULL. As such, it cannot be dereferenced
without testing it first.

This should fix github coverity report #2739.

No backport needed.
---

diff --git a/src/mux_quic.c b/src/mux_quic.c
index 09f8833490..8b46580757 100644
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@@ -2626,7 +2626,7 @@ static void qcc_release(struct qcc *qcc)
 {
 	struct connection *conn = qcc->conn;
 	struct eb64_node *node;
-	struct quic_conn *qc = conn->handle.qc;
+	struct quic_conn *qc;
 
 	TRACE_ENTER(QMUX_EV_QCC_END, conn);
 
@@ -2644,11 +2644,14 @@ static void qcc_release(struct qcc *qcc)
 	}
 
 	/* unsubscribe from all remaining qc_stream_desc */
-	node = eb64_first(&qc->streams_by_id);
-	while (node) {
-		struct qc_stream_desc *stream = eb64_entry(node, struct qc_stream_desc, by_id);
-		qc_stream_desc_sub_room(stream, NULL);
-		node = eb64_next(node);
+	if (conn) {
+		qc = conn->handle.qc;
+		node = eb64_first(&qc->streams_by_id);
+		while (node) {
+			struct qc_stream_desc *stream = eb64_entry(node, struct qc_stream_desc, by_id);
+			qc_stream_desc_sub_room(stream, NULL);
+			node = eb64_next(node);
+		}
 	}
 
 	tasklet_free(qcc->wait_event.tasklet);