]> git.ipfire.org Git - thirdparty/haproxy.git/commitdiff
projects / thirdparty / haproxy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fbbc292)
BUG/MEDIUM: mux-quic: fix crash on STOP_SENDING received without SD
authorAmaury Denoyelle <adenoyelle@haproxy.com>
Fri, 10 May 2024 08:42:07 +0000 (10:42 +0200)
committerAmaury Denoyelle <adenoyelle@haproxy.com>
Fri, 10 May 2024 09:01:05 +0000 (11:01 +0200)
Abort reason code received on STOP_SENDING is notified to upper layer
since the following commit :
  367ce1ebf3e4cead319a9f01581037c9f0280e77
  MINOR: mux-quic: Set tha SE abort reason when a STOP_SENDING frame is received

However, this causes a crash when a STOP_SENDING is received on a QCS
instance without any stream instantiated. Fix this by checking first if
qcs->sd is not NULL before setting abort code.

This bug can easily be reproduced by emitting a STOP_SENDING as first
frame of a stream.

This should fix github issue #2563.

This does not need to be backported.

src/mux_quic.c patch | blob | blame | history

diff --git a/src/mux_quic.c b/src/mux_quic.c
index b7f3f9ca26eeb2159b2f08dfadf4e593a40447eb..b90077b04ec52e24bc68b8faf2b9fb3cecd5ae69 100644 (file)
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@@ -1585,18 +1585,18 @@ int qcc_recv_stop_sending(struct qcc *qcc, uint64_t id, uint64_t err)
                }
        }
 
-       /* If FIN already reached, future RESET_STREAMS will be ignored.
-        * Manually set EOS in this case.
-        */
-       if (qcs_sc(qcs) && se_fl_test(qcs->sd, SE_FL_EOI)) {
-               se_fl_set(qcs->sd, SE_FL_EOS);
-               qcs_alert(qcs);
-       }
+       if (qcs_sc(qcs)) {
+               /* Manually set EOS if FIN already reached as futures RESET_STREAM will be ignored in this case. */
+               if (se_fl_test(qcs->sd, SE_FL_EOI)) {
+                       se_fl_set(qcs->sd, SE_FL_EOS);
+                       qcs_alert(qcs);
+               }
 
-       /* If not defined yet, set abort info for the sedesc */
-       if (!qcs->sd->abort_info.info) {
-               qcs->sd->abort_info.info = (SE_ABRT_SRC_MUX_QUIC << SE_ABRT_SRC_SHIFT);
-               qcs->sd->abort_info.code = err;
+               /* If not defined yet, set abort info for the sedesc */
+               if (!qcs->sd->abort_info.info) {
+                       qcs->sd->abort_info.info = (SE_ABRT_SRC_MUX_QUIC << SE_ABRT_SRC_SHIFT);
+                       qcs->sd->abort_info.code = err;
+               }
        }
 
        /* RFC 9000 3.5. Solicited State Transitions
Mirror of https://github.com/haproxy/haproxy.git