BUG/MAJOR: quic: do not reset QUIC backends fds in closing state

This bug impacts only the backends.

When entering the closing state, a quic_closed_conn is used to replace the quic_conn.
In this state, the ->fd value was reset to -1 value calling qc_init_fd(). This value
is used by qc_may_use_saddr() which supposes it cannot be -1 for a backend, leading
->li to be dereferencd, which is legal only for a listener.

This bug impacts only the backend but with possible crash when qc_may_use_saddr()
is called: qc_test_fd() is false leading qc->li to be dereferenced. This is legal
only for a listener.

This patch prevents such fd value resettings for backends.

No need to backport because the QUIC backends support arrived with 3.3.

diff --git a/src/quic_conn.c b/src/quic_conn.c
index af17d43f08356fdfa6da7141d581cfd7a6729b3d..f94a6b7dc6cbcd9892fadd0dd022bbcccd641669 100644 (file)
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -724,7 +724,10 @@ static struct quic_conn_closed *qc_new_cc_conn(struct quic_conn *qc)
 
        quic_conn_mv_cids_to_cc_conn(cc_qc, qc);
 
-       qc_init_fd((struct quic_conn *)cc_qc);
+       if (qc_is_back(qc))
+               cc_qc->fd = qc->fd;
+       else
+               qc_init_fd((struct quic_conn *)cc_qc);
 
        cc_qc->flags = qc->flags;
        cc_qc->err = qc->err;