From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Mon, 13 Nov 2023 10:30:36 +0000 (+0100)
Subject: BUG/MEDIUM: quic: fix FD for quic_cc_conn
X-Git-Tag: v2.9-dev10~86
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=954b5b756a7dd4cdabbc46402055f4673650a250;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: quic: fix FD for quic_cc_conn

Since following commit, quic_conn closes its owned socket before
transition to quic_cc_conn for closing state. This allows to save FDs as
quic_cc_conn could use the listener socket for their I/O.

  commit 150c0da8895be50a39fd8e44f1db28e52c938569
  MEDIUM: quic: release conn socket before using quic_cc_conn

This patch is incomplete as it removes initialization of <fd> member for
quic_cc_conn. Thus, if sending is done on closing state, <fd> value is
undefined which in most cases will result in a crash. Fix this by simply
initializing <fd> member with qc_init_fd() in qc_new_cc_conn().

This bug should fix recent issue from #2095. Thanks to Tristan for its
reporting and then testing of this patch.

No need to backport.
---

diff --git a/src/quic_conn.c b/src/quic_conn.c
index d3b89ab46e..067de20434 100644
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -828,6 +828,8 @@ static struct quic_cc_conn *qc_new_cc_conn(struct quic_conn *qc)
 
 	quic_conn_mv_cids_to_cc_conn(cc_qc, qc);
 
+	qc_init_fd((struct quic_conn *)cc_qc);
+
 	cc_qc->flags = qc->flags;
 	cc_qc->err = qc->err;