From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Wed, 11 Oct 2023 13:40:38 +0000 (+0200)
Subject: BUG/MINOR: quic: fix qc.cids access on quic-conn fail alloc
X-Git-Tag: v2.9-dev8~75
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7d76ffb2a49a2926010358a3f3e08a395715a547;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic: fix qc.cids access on quic-conn fail alloc

CIDs tree is now allocated dynamically since the following commit :
  276697438d50456f92487c990f20c4d726dfdb96
  MINOR: quic: Use a pool for the connection ID tree.

This can caused a crash if qc_new_conn() is interrupted due to an
intermediary failed allocation. When freeing all connection members,
free_quic_conn_cids() is used. However, this function does not support a
NULL cids.

To fix this, simply check that cids is NULL during free_quic_conn_cids()
prologue.

This bug was reproduced using -dMfail.

No need to backport.
---

diff --git a/include/haproxy/quic_conn.h b/include/haproxy/quic_conn.h
index 5d2fbfa05b..a1f72c0ef3 100644
--- a/include/haproxy/quic_conn.h
+++ b/include/haproxy/quic_conn.h
@@ -209,6 +209,9 @@ static inline void free_quic_conn_cids(struct quic_conn *conn)
 {
 	struct eb64_node *node;
 
+	if (!conn->cids)
+		return;
+
 	node = eb64_first(conn->cids);
 	while (node) {
 		struct quic_connection_id *conn_id;