From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Mon, 17 Feb 2025 09:54:41 +0000 (+0100)
Subject: BUG/MINOR: mux-quic: prevent crash after MUX init failure
X-Git-Tag: v3.2-dev6~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2715dbe9d065d8700a8fba6e2605a451cfbb72b8;p=thirdparty%2Fhaproxy.git

BUG/MINOR: mux-quic: prevent crash after MUX init failure

qmux_init() may fail for several reasons. In this case, connection
resources are freed and underlying and a CONNECTION_CLOSE will be
emitted via its quic_conn instance.

In case of qmux_init() failure, qcc_release() is used to clean up
resources, but QCC <conn> member is first resetted to NULL, as
connection released must be delayed. Some cleanup operations are thus
skipped, one of them is the resetting of <ctx> connection member to
NULL. This may cause a crash as <ctx> is a dangling pointer after QCC
release. One of the possible reproducer is to activate QMUX traces,
which will cause a segfault on the qmux_init() error leave trace.

To fix this, simply reset <ctx> to NULL manually on qmux_init() failure.

This must be backported up to 3.0.
---

diff --git a/src/mux_quic.c b/src/mux_quic.c
index d3beee730..3bf9577ce 100644
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@@ -3190,6 +3190,7 @@ static int qmux_init(struct connection *conn, struct proxy *prx,
 		/* In case of MUX init failure, session will ensure connection is freed. */
 		qcc->conn = NULL;
 		qcc_release(qcc);
+		conn->ctx = NULL;
 	}
 
 	TRACE_DEVEL("leaving on error", QMUX_EV_QCC_NEW, conn);