BUG/MINOR: mux-quic: prevent crash if conn released during IO callback

A qcc instance may be freed in the middle of qc_io_cb() if all streams
were purged. This will lead to a crash as qcc instance is reused after
this step. Jump directly to the end of the function to avoid this.

Note that this bug has not been triggered for the moment. This is a
safety fix to prevent it.

This must be backported up to 2.6.

diff --git a/src/mux_quic.c b/src/mux_quic.c
index d4851570c36e6a8100c79ad2384d8cd848159a51..5580d46fb16798ab4944f81df2985b95061f5929 100644 (file)
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@@ -1673,6 +1673,7 @@ static struct task *qc_io_cb(struct task *t, void *ctx, unsigned int status)
        if (qc_purge_streams(qcc)) {
                if (qcc_is_dead(qcc)) {
                        qc_release(qcc);
+                       goto end;
                }
                else if (qcc->task) {
                        if (qcc_may_expire(qcc))
@@ -1685,6 +1686,7 @@ static struct task *qc_io_cb(struct task *t, void *ctx, unsigned int status)
 
        qc_recv(qcc);
 
+ end:
        TRACE_LEAVE(QMUX_EV_QCC_WAKE);
 
        return NULL;