From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Mon, 4 Sep 2023 08:23:12 +0000 (+0200)
Subject: BUG/MINOR: quic: Unchecked pointer to packet number space dereferenced
X-Git-Tag: v2.9-dev5~68
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d52466726fec5d9eb97ab1aa1c94e02d40767f43;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic: Unchecked pointer to packet number space dereferenced

It is possible that there are still Initial crypto data in flight without
Handshake crypto data in flight. This is very rare but possible.

This issue was reported by long-rtt interop test with quic-go as client
and @chipitsine in GH #2276.

No need to backport.
---

diff --git a/src/quic_conn.c b/src/quic_conn.c
index a2e85d8dfd..be65c2e205 100644
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -1094,7 +1094,7 @@ struct task *qc_process_timer(struct task *task, void *ctx, unsigned int state)
 			else {
 				TRACE_STATE("Cannot probe Initial packet number space", QUIC_EV_CONN_TXPKT, qc);
 			}
-			if (qc->hpktns->tx.in_flight) {
+			if (qc->hpktns && qc->hpktns->tx.in_flight) {
 				qc->flags |= QUIC_FL_CONN_RETRANS_NEEDED;
 				qc->hpktns->flags |= QUIC_FL_PKTNS_PROBE_NEEDED;
 				TRACE_STATE("needs to probe Handshake packet number space", QUIC_EV_CONN_TXPKT, qc);