From: Frederic Lecaille <flecaille@haproxy.com>
Date: Tue, 26 Aug 2025 08:26:14 +0000 (+0200)
Subject: BUG/MEDIUM: quic-be: avoid crashes when releasing Initial pktns
X-Git-Tag: v3.3-dev8~99
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=729196fbedad7bcc906a34a144a5fa4ffd2464dc;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: quic-be: avoid crashes when releasing Initial pktns

This bug arrived with this fix:

    BUG/MINOR: quic-be: missing Initial packet number space discarding

leading to crashes when dereferencing ->ipktns.

Such crashes could be reproduced with -dMfail option. To reach them, the
memory allocations must fail. So, this is relatively rare, except on systems
with limited memory.

To fix this, do not call quic_pktns_discard() if ->ipktns is NULL.

No need to backport.
---

diff --git a/src/quic_conn.c b/src/quic_conn.c
index 311598392..7c0fcb7da 100644
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -916,7 +916,7 @@ struct task *quic_conn_io_cb(struct task *t, void *context, unsigned int state)
 	 * discard Initial keys when it first sends a Handshake packet...
 	 */
 
-	if (qc_is_back(qc) && !quic_tls_pktns_is_dcd(qc, qc->ipktns) &&
+	if (qc_is_back(qc) && qc->ipktns && !quic_tls_pktns_is_dcd(qc, qc->ipktns) &&
 	    qc->hpktns && qc->hpktns->tx.in_flight > 0) {
 		/* Discard the Initial packet number space. */
 		TRACE_PROTO("discarding Initial pktns", QUIC_EV_CONN_PRSHPKT, qc);