From: Frederic Lecaille <flecaille@haproxy.com>
Date: Mon, 20 Oct 2025 12:27:12 +0000 (+0200)
Subject: BUG/MINOR: quic-be: unchecked connections during handshakes
X-Git-Tag: v3.3-dev11~81
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=edd21121d2e0251e10ee05c2ba535722289f273d;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic-be: unchecked connections during handshakes

This bug impacts only the backends.

The ->conn (pointer to struct connection) member validity of the ssl_sock_ctx
struct was not checked before being dereferenced, leading to possible crashes
in qc_ssl_do_hanshake() during handshake.

This was reported by GH #3163 issue.

No need to backport because the QUIC backend support arrived with 3.3
---

diff --git a/src/quic_ssl.c b/src/quic_ssl.c
index 31220ff77..6e315ca48 100644
--- a/src/quic_ssl.c
+++ b/src/quic_ssl.c
@@ -977,7 +977,7 @@ int qc_ssl_do_hanshake(struct quic_conn *qc, struct ssl_sock_ctx *ctx)
 				goto err;
 			}
 		}
-		else {
+		else if (ctx->conn) {
 			const unsigned char *alpn;
 			size_t alpn_len;
 
@@ -998,6 +998,9 @@ int qc_ssl_do_hanshake(struct quic_conn *qc, struct ssl_sock_ctx *ctx)
 			ctx->conn->mux->wake(ctx->conn);
 			qc->mux_state = QC_MUX_READY;
 		}
+		else {
+			TRACE_PROTO("could not start the mux", QUIC_EV_CONN_IO_CB, qc);
+		}
 
 		qc->flags |= QUIC_FL_CONN_NEED_POST_HANDSHAKE_FRMS;
 		if (!qc_is_back(qc)) {