From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Sat, 26 Mar 2022 11:22:41 +0000 (+0100)
Subject: BUG/MEDIUM: quic: Possible crash in ha_quic_set_encryption_secrets()
X-Git-Tag: v2.6-dev5~75
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f44d19eb91221ebb6b475bac45daeaf30c6a4cb5;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: quic: Possible crash in ha_quic_set_encryption_secrets()

This bug has come with this commit:
   1fc5e16c4 MINOR: quic: More accurate immediately close
As mentionned in this commit we do not want to derive anymore secret when in closing
state. But the flag which denote secrets were derived was set. Add a label at
the correct flag to skip the secrets derivation without setting this flag.
---

diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index e13773f5b1..901030413b 100644
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -775,7 +775,7 @@ int ha_quic_set_encryption_secrets(SSL *ssl, enum ssl_encryption_level_t level,
 	BUG_ON(secret_len > QUIC_TLS_SECRET_LEN);
 	if (HA_ATOMIC_LOAD(&qc->flags) & QUIC_FL_CONN_IMMEDIATE_CLOSE) {
 		TRACE_PROTO("CC required", QUIC_EV_CONN_RWSEC, qc);
-		goto out;
+		goto no_secret;
 	}
 
 	if (!quic_tls_ctx_keys_alloc(tls_ctx)) {
@@ -838,6 +838,7 @@ int ha_quic_set_encryption_secrets(SSL *ssl, enum ssl_encryption_level_t level,
 
  out:
 	tls_ctx->flags |= QUIC_FL_TLS_SECRETS_SET;
+ no_secret:
 	TRACE_LEAVE(QUIC_EV_CONN_RWSEC, qc, &level);
 	return 1;