From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Tue, 15 Feb 2022 10:06:15 +0000 (+0100)
Subject: BUG/MEDIUM: quic: fix crash on CC if mux not present
X-Git-Tag: v2.6-dev2~153
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4af6595d41f99dd9fdbe33ce52350a557f22dc34;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: quic: fix crash on CC if mux not present

If a CONNECTION_CLOSE is received during handshake or after mux release,
a segfault happens due to invalid dereferencement of qc->qcc. Check
mux_state first to prevent this.
---

diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index bff17805c5..b71e427220 100644
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -2448,7 +2448,8 @@ static int qc_parse_pkt_frms(struct quic_rx_packet *pkt, struct ssl_sock_ctx *ct
 		case QUIC_FT_CONNECTION_CLOSE:
 		case QUIC_FT_CONNECTION_CLOSE_APP:
 			/* warn the mux to close the connection */
-			qc->qcc->flags |= QC_CF_CC_RECV;
+			if (qc->mux_state == QC_MUX_READY)
+				qc->qcc->flags |= QC_CF_CC_RECV;
 			tasklet_wakeup(qc->qcc->wait_event.tasklet);
 			break;
 		case QUIC_FT_HANDSHAKE_DONE: