From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Wed, 13 Apr 2022 14:58:26 +0000 (+0200)
Subject: BUG/MINOR: quic-sock: do not double free session on conn init failure
X-Git-Tag: v2.6-dev6~17
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=622ec4166b8d755a9dde9cd3024a2046dd555a48;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic-sock: do not double free session on conn init failure

In the quic_session_accept, connection is in charge to call the
quic-conn start callback. If this callback fails for whatever reason,
there is a crash because of an explicit session_free.

This happens because the connection is now the owner of the session due
to previous conn_complete_session call. It will automatically calls
session_free. Fix this by skipping the session_free explicit invocation
on error.

In practice, currently this has never happened as there is only limited
cases of failures for conn_xprt_start for QUIC.
---

diff --git a/src/quic_sock.c b/src/quic_sock.c
index 1aa0015993..3baf3fd133 100644
--- a/src/quic_sock.c
+++ b/src/quic_sock.c
@@ -66,8 +66,16 @@ int quic_session_accept(struct connection *cli_conn)
 	if (conn_complete_session(cli_conn) < 0)
 		goto out_free_sess;
 
-	if (conn_xprt_start(cli_conn) >= 0)
-		return 1;
+	if (conn_xprt_start(cli_conn) < 0) {
+		/* conn_complete_session has succeeded : conn is the owner of
+		 * the session and the MUX is initialized.
+		 * Let the MUX free all resources on error.
+		 */
+		cli_conn->mux->destroy(cli_conn->ctx);
+		return -1;
+	}
+
+	return 1;
 
  out_free_sess:
 	/* prevent call to listener_release during session_free. It will be