From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Tue, 5 Sep 2023 08:12:27 +0000 (+0200)
Subject: BUG/MINOR: quic: Unchecked pointer to Handshake packet number space
X-Git-Tag: v2.9-dev5~52
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aeb2f28ca76faf01b19273776ffaef19e811df2d;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic: Unchecked pointer to Handshake packet number space

It is possible that there are still Initial crypto data in flight without
Handshake crypto data in flight. This is very rare but possible.

This issue was reported by handshakeloss interop test with quic-go as client
and @chipitsine in GH #2279.

No need to backport.
---

diff --git a/src/quic_tx.c b/src/quic_tx.c
index 46dd6bad87..67c57efb57 100644
--- a/src/quic_tx.c
+++ b/src/quic_tx.c
@@ -1333,7 +1333,8 @@ int qc_dgrams_retransmit(struct quic_conn *qc)
 				if (!LIST_ISEMPTY(&hfrms))
 					hpktns->tx.pto_probe = 1;
 				qc->iel->retrans_frms = &ifrms;
-				qc->hel->retrans_frms = &hfrms;
+				if (qc->hel)
+					qc->hel->retrans_frms = &hfrms;
 				if (!qc_send_hdshk_pkts(qc, 1, qc->iel, qc->hel))
 					goto leave;
 				/* Put back unsent frames in their packet number spaces */