From: Frederic Lecaille <flecaille@haproxy.com>
Date: Thu, 12 Jun 2025 08:59:35 +0000 (+0200)
Subject: BUG/MINOR: quic-be: CID double free upon qc_new_conn() failures
X-Git-Tag: v3.3-dev2~63
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=869fb457ed4aca542df68b58ab7d6914732f6ab5;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic-be: CID double free upon qc_new_conn() failures

This issue may occur when qc_new_conn() fails after having allocated
and attached <conn_cid> to its tree. This is the case when compiling
haproxy against WolfSSL for an unknown reason at this time. In this
case the <conn_cid> is freed by pool_head_quic_connection_id(), then
freed again by quic_conn_release().

This bug arrived with this commit:

    MINOR: quic-be: QUIC connection allocation adaptation (qc_new_conn())

So, the aim of this patch is to free <conn_cid> only for QUIC backends
and if it is not attached to its tree. This is the case when <conn_id>
local variable passed with NULL value to qc_new_conn() is then intialized
to the same <conn_cid> value.
---

diff --git a/src/quic_conn.c b/src/quic_conn.c
index 90c1a1db0..82cec926d 100644
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -1351,7 +1351,15 @@ struct quic_conn *qc_new_conn(const struct quic_version *qv, int ipv4,
 	return qc;
 
  err:
-	pool_free(pool_head_quic_connection_id, conn_id);
+	if (!l && !conn_id) {
+		/* For QUIC clients, <conn_id> is locally used and initialized to <conn_cid>
+		 * value as soon as this latter is attached to the CIDs tree. It must
+		 * be freed only if it has not been attached to this tree. This is
+		 * quic_conn_release() which free this CID when it is attached to the tree.
+		 */
+		pool_free(pool_head_quic_connection_id, conn_id);
+	}
+
 	quic_conn_release(qc);
 
 	/* Decrement global counters. Done only for errors happening before or