From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Mon, 3 Jul 2023 08:40:32 +0000 (+0200)
Subject: BUG/MINOR: quic: Missing QUIC connection path member initialization
X-Git-Tag: v2.9-dev2~90
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=74058745556a59d112914d6cf33f337d8d435cd7;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic: Missing QUIC connection path member initialization

This bug was introduced by this commit:
  MINOR: quic: Remove pool_zalloc() from qc_new_conn().

If ->path is not initialized to NULL value, and if a QUIC connection object
allocation has failed (from qc_new_conn()), haproxy could crash in
quic_conn_prx_cntrs_update() when dereferencing this QUIC connection member.

No backport needed.
---

diff --git a/src/quic_conn.c b/src/quic_conn.c
index c205c351ee..15a8d945ba 100644
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -5480,6 +5480,7 @@ static struct quic_conn *qc_new_conn(const struct quic_version *qv, int ipv4,
 	qc->conn = NULL;
 	qc->qcc = NULL;
 	qc->app_ops = NULL;
+	qc->path = NULL;
 
 	/* Keyupdate: required to safely call quic_tls_ku_free() from
 	 * quic_conn_release().
@@ -5652,7 +5653,11 @@ static inline void quic_conn_prx_cntrs_update(struct quic_conn *qc)
 	HA_ATOMIC_ADD(&qc->prx_counters->sendto_err, qc->cntrs.sendto_err);
 	HA_ATOMIC_ADD(&qc->prx_counters->sendto_err_unknown, qc->cntrs.sendto_err_unknown);
 	HA_ATOMIC_ADD(&qc->prx_counters->sent_pkt, qc->cntrs.sent_pkt);
-	HA_ATOMIC_ADD(&qc->prx_counters->lost_pkt, qc->path->loss.nb_lost_pkt);
+	/* It is possible that ->path was not initialized. For instance if a
+	 * QUIC connection allocation has failed.
+	 */
+	if (qc->path)
+		HA_ATOMIC_ADD(&qc->prx_counters->lost_pkt, qc->path->loss.nb_lost_pkt);
 	HA_ATOMIC_ADD(&qc->prx_counters->conn_migration_done, qc->cntrs.conn_migration_done);
 	/* Stream related counters */
 	HA_ATOMIC_ADD(&qc->prx_counters->data_blocked, qc->cntrs.data_blocked);