From 5f26cf162c828666797f7c3d018da0fc61b59564 Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Fri, 20 Feb 2026 11:05:40 +0100 Subject: [PATCH] MINOR: quic: add BUG_ON() on half_open_conn counter access from BE half_open_conn is a proxy counter used to account for quic_conn in half-open state : this represents a connection whose address is not yet validated (handshake successful, or via token validation). This counter only has sense for the frontend side. Currently, code is safe as access is only performed if quic_conn is not yet flagged with QUIC_FL_CONN_PEER_VALIDATED_ADDR, which is always set for backend connections. To better reflect this, add a BUG_ON() when half_open_conn is incremented/decremented to ensure this never occurs for backend connections. --- src/quic_conn.c | 3 ++- src/quic_rx.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/quic_conn.c b/src/quic_conn.c index 378474010..5b643fd3a 100644 --- a/src/quic_conn.c +++ b/src/quic_conn.c @@ -1665,7 +1665,8 @@ int quic_conn_release(struct quic_conn *qc) /* Connection released before peer address validated. */ if (unlikely(!(qc->flags & QUIC_FL_CONN_PEER_VALIDATED_ADDR))) { - BUG_ON(!qc->prx_counters->half_open_conn); + /* half_open_conn counter must not be manipulated by BE conns. */ + BUG_ON(qc_is_back(qc) || !qc->prx_counters->half_open_conn); HA_ATOMIC_DEC(&qc->prx_counters->half_open_conn); } diff --git a/src/quic_rx.c b/src/quic_rx.c index 89944843e..70ac60695 100644 --- a/src/quic_rx.c +++ b/src/quic_rx.c @@ -1357,7 +1357,8 @@ int qc_treat_rx_pkts(struct quic_conn *qc) TRACE_STATE("validate peer address on handshake packet", QUIC_EV_CONN_RXPKT, qc, pkt); qc->flags |= QUIC_FL_CONN_PEER_VALIDATED_ADDR; - BUG_ON(!qc->prx_counters->half_open_conn); + /* half_open_conn counter must not be manipulated by BE conns. */ + BUG_ON(qc_is_back(qc) || !qc->prx_counters->half_open_conn); HA_ATOMIC_DEC(&qc->prx_counters->half_open_conn); } -- 2.47.3