BUG/MINOR: mux-quic: prevent crash after MUX init failure

qmux_init() may fail for several reasons. In this case, connection
resources are freed and underlying and a CONNECTION_CLOSE will be
emitted via its quic_conn instance.

In case of qmux_init() failure, qcc_release() is used to clean up
resources, but QCC <conn> member is first resetted to NULL, as
connection released must be delayed. Some cleanup operations are thus
skipped, one of them is the resetting of <ctx> connection member to
NULL. This may cause a crash as <ctx> is a dangling pointer after QCC
release. One of the possible reproducer is to activate QMUX traces,
which will cause a segfault on the qmux_init() error leave trace.

To fix this, simply reset <ctx> to NULL manually on qmux_init() failure.

This must be backported up to 3.0.

diff --git a/src/mux_quic.c b/src/mux_quic.c
index d3beee730f5e4d9a12ac5b7ae96e502a9da0d692..3bf9577ce1495ca9a022782bc5f508e66530c36a 100644 (file)
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@@ -3190,6 +3190,7 @@ static int qmux_init(struct connection *conn, struct proxy *prx,
                /* In case of MUX init failure, session will ensure connection is freed. */
                qcc->conn = NULL;
                qcc_release(qcc);
+               conn->ctx = NULL;
        }
 
        TRACE_DEVEL("leaving on error", QMUX_EV_QCC_NEW, conn);