From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Wed, 6 Sep 2023 07:15:55 +0000 (+0200)
Subject: BUG/MINOR: quic: Dereferenced unchecked pointer to Handshke packet number space
X-Git-Tag: v2.9-dev5~37
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e7240a0ba6e07a9be157f8c9df06a68fc105162f;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic: Dereferenced unchecked pointer to Handshke packet number space

This issue was reported by longrtt interop test with quic-go as client
and @chipitsine in GH #2282 when haproxy is compiled against libressl.

Add two checks to prevent a pointer to the Handshake packet number space
to be dereferenced if this packet number space was released.

Thank you to @chipitsine for this report.

No need to backport.
---

diff --git a/src/quic_tx.c b/src/quic_tx.c
index 67c57efb57..22ec33468f 100644
--- a/src/quic_tx.c
+++ b/src/quic_tx.c
@@ -1339,7 +1339,8 @@ int qc_dgrams_retransmit(struct quic_conn *qc)
 					goto leave;
 				/* Put back unsent frames in their packet number spaces */
 				LIST_SPLICE(&ipktns->tx.frms, &ifrms);
-				LIST_SPLICE(&hpktns->tx.frms, &hfrms);
+				if (hpktns)
+					LIST_SPLICE(&hpktns->tx.frms, &hfrms);
 			}
 			else {
 				/* We are in the case where the anti-amplification limit will be
@@ -1357,7 +1358,8 @@ int qc_dgrams_retransmit(struct quic_conn *qc)
 		TRACE_STATE("no more need to probe Initial packet number space",
 					QUIC_EV_CONN_TXPKT, qc);
 		ipktns->flags &= ~QUIC_FL_PKTNS_PROBE_NEEDED;
-		hpktns->flags &= ~QUIC_FL_PKTNS_PROBE_NEEDED;
+		if (hpktns)
+			hpktns->flags &= ~QUIC_FL_PKTNS_PROBE_NEEDED;
 	}
 	else {
 		int i;