From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Fri, 12 Aug 2022 13:56:21 +0000 (+0200)
Subject: BUG/MINOR: mux-quic: fix crash with traces in qc_detach()
X-Git-Tag: v2.7-dev4~40
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=35a66c0a367ec773d155ef1d380e8c9d2598afa8;p=thirdparty%2Fhaproxy.git

BUG/MINOR: mux-quic: fix crash with traces in qc_detach()

qc_detach() is used to free a qcs as notified by sedesc. If there is no
more stream active and the connection is considered as dead, it will
then be freed. This prevent to dereference qcc in TRACE macro. Else this
will cause a crash.

Use a different code-path on release for qc_detach() to fix this bug.

This will fix the last occurence of crash on github issue #1808.

This has been introduced by recent QUIC MUX traces rework. Thus, it does
not need to be backport.
---

diff --git a/src/mux_quic.c b/src/mux_quic.c
index 196f682c23..57d7fdb2e3 100644
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@@ -2099,7 +2099,7 @@ static void qc_detach(struct sedesc *sd)
 
 	if (qcc_is_dead(qcc)) {
 		TRACE_STATE("killing dead connection", QMUX_EV_STRM_END, qcc->conn);
-		qc_release(qcc);
+		goto release;
 	}
 	else if (qcc->task) {
 		TRACE_DEVEL("refreshing connection's timeout", QMUX_EV_STRM_END, qcc->conn);
@@ -2110,6 +2110,12 @@ static void qc_detach(struct sedesc *sd)
 	}
 
 	TRACE_LEAVE(QMUX_EV_STRM_END, qcc->conn);
+	return;
+
+ release:
+	qc_release(qcc);
+	TRACE_LEAVE(QMUX_EV_STRM_END);
+	return;
 }
 
 /* Called from the upper layer, to receive data */