From: Frederic Lecaille <flecaille@haproxy.com>
Date: Thu, 12 Jun 2025 09:17:18 +0000 (+0200)
Subject: MINOR: quic-be: Avoid SSL context unreachable code without USE_QUIC_OPENSSL_COMPAT
X-Git-Tag: v3.3-dev2~62
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5a0ae9e9be743fc6e3d2a631f483f320d3a84636;p=thirdparty%2Fhaproxy.git

MINOR: quic-be: Avoid SSL context unreachable code without USE_QUIC_OPENSSL_COMPAT

This commit added a "err" C label reachable only with USE_QUIC_OPENSSL_COMPAT:

   MINOR: quic-be: Missing callbacks initializations (USE_QUIC_OPENSSL_COMPAT)

leading coverity to warn this:

*** CID 1611481:         Control flow issues  (UNREACHABLE)
/src/quic_ssl.c: 802             in ssl_quic_srv_new_ssl_ctx()
796     		goto err;
797     #endif
798
799      leave:
800     	TRACE_LEAVE(QUIC_EV_CONN_NEW);
801     	return ctx;
>>>     CID 1611481:         Control flow issues  (UNREACHABLE)
>>>     This code cannot be reached: "err:
SSL_CTX_free(ctx);".
802      err:
803     	SSL_CTX_free(ctx);
804     	ctx = NULL;
805     	TRACE_DEVEL("leaving on error", QUIC_EV_CONN_NEW);
806     	goto leave;
807     }

The less intrusive (without #ifdef) way to fix this it to add a "goto err"
statement from the code part which is reachable without USE_QUIC_OPENSSL_COMPAT.

Thank you to @chipitsine for having reported this issue in GH #3003.
---

diff --git a/src/quic_ssl.c b/src/quic_ssl.c
index 3341e03cb..21c4237aa 100644
--- a/src/quic_ssl.c
+++ b/src/quic_ssl.c
@@ -785,7 +785,7 @@ SSL_CTX *ssl_quic_srv_new_ssl_ctx(void)
 	ctx = SSL_CTX_new(TLS_client_method());
 	if (!ctx) {
 		TRACE_ERROR("Could not allocate a new TLS context", QUIC_EV_CONN_NEW);
-		goto leave;
+		goto err;
 	}
 
 	SSL_CTX_set_options(ctx, options);