From: Amaury Denoyelle Date: Tue, 4 Nov 2025 16:28:56 +0000 (+0100) Subject: MINOR: quic: do not set conn member if ssl_sock_ctx X-Git-Tag: v3.3-dev12~54 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5a17cade4f60c6ba5a9321916df874233ab898cb;p=thirdparty%2Fhaproxy.git MINOR: quic: do not set conn member if ssl_sock_ctx ssl_sock_ctx is a generic object used both on TCP/SSL and QUIC stacks. Most notably it contains a member which is a pointer to struct connection. On QUIC frontend side, this member is always set to NULL. Indeed, connection is only created after handshake completion. However, this has changed for backend side, where the connection is instantiated prior to its quic_conn counterpart. Thus, ssl_sock_ctx member would be set in this case as a convenience for use later in qc_ssl_do_hanshake(). However, this method was unsafe as the connection can be released, without resetting ssl_sock_ctx member. Thus, the previous patch fixes this by using on member through the quic_conn instance which is the proper way. Thus, this patch resets ssl_sock_ctx member to NULL. This is deemed the cleanest method as it ensures that both frontend and backend sides must not use it anymore. --- diff --git a/include/haproxy/quic_ssl.h b/include/haproxy/quic_ssl.h index d8f25fb65..3f0c2010c 100644 --- a/include/haproxy/quic_ssl.h +++ b/include/haproxy/quic_ssl.h @@ -35,7 +35,7 @@ int ssl_quic_initial_ctx(struct bind_conf *bind_conf); SSL_CTX *ssl_quic_srv_new_ssl_ctx(void); -int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, struct connection *conn); +int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, void *target); int qc_ssl_provide_all_quic_data(struct quic_conn *qc, struct ssl_sock_ctx *ctx); int qc_ssl_do_hanshake(struct quic_conn *qc, struct ssl_sock_ctx *ctx); diff --git a/src/quic_conn.c b/src/quic_conn.c index 00a84d606..98a9820b2 100644 --- a/src/quic_conn.c +++ b/src/quic_conn.c @@ -1359,7 +1359,7 @@ struct quic_conn *qc_new_conn(const struct quic_version *qv, int ipv4, qc->wait_event.events = 0; qc->subs = NULL; - if (qc_alloc_ssl_sock_ctx(qc, conn) || + if (qc_alloc_ssl_sock_ctx(qc, target) || !quic_conn_init_timer(qc) || !quic_conn_init_idle_timer_task(qc, prx)) goto err; diff --git a/src/quic_ssl.c b/src/quic_ssl.c index 6ef87f8d1..bf756f929 100644 --- a/src/quic_ssl.c +++ b/src/quic_ssl.c @@ -1183,7 +1183,7 @@ static int quic_ssl_set_tls_cbs(SSL *ssl) * CO_ER_SSL_NO_MEM. */ static int qc_ssl_sess_init(struct quic_conn *qc, SSL_CTX *ssl_ctx, SSL **ssl, - struct connection *conn, int server) + int server) { int retry, ret = -1; @@ -1263,10 +1263,12 @@ static int qc_set_quic_early_data_enabled(struct quic_conn *qc, SSL *ssl) * * Returns 0 on success else non-zero. */ -int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, struct connection *conn) +int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, void *target) { - int ret = 0; struct ssl_sock_ctx *ctx = NULL; + struct bind_conf *bc; + struct server *srv; + int ret = 0; TRACE_ENTER(QUIC_EV_CONN_NEW, qc); @@ -1276,7 +1278,7 @@ int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, struct connection *conn) goto err; } - ctx->conn = conn; + ctx->conn = NULL; ctx->bio = NULL; ctx->xprt = NULL; ctx->xprt_ctx = NULL; @@ -1289,9 +1291,8 @@ int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, struct connection *conn) ctx->qc = qc; if (!qc_is_back(qc)) { - struct bind_conf *bc = qc->li->bind_conf; - - if (qc_ssl_sess_init(qc, bc->initial_ctx, &ctx->ssl, NULL, 1) == -1) + bc = __objt_listener(target)->bind_conf; + if (qc_ssl_sess_init(qc, bc->initial_ctx, &ctx->ssl, 1) == -1) goto err; #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && defined(HAVE_SSL_0RTT_QUIC) /* Enabling 0-RTT */ @@ -1302,9 +1303,8 @@ int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, struct connection *conn) SSL_set_accept_state(ctx->ssl); } else { - struct server *srv = __objt_server(ctx->conn->target); - - if (qc_ssl_sess_init(qc, srv->ssl_ctx.ctx, &ctx->ssl, conn, 0) == -1) + srv = __objt_server(target); + if (qc_ssl_sess_init(qc, srv->ssl_ctx.ctx, &ctx->ssl, 0) == -1) goto err; if (!qc_ssl_set_quic_transport_params(ctx->ssl, qc, quic_version_1, 0))