From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Wed, 29 Apr 2026 08:22:14 +0000 (+0200)
Subject: BUG/MINOR: prevent conn leak in case of xprt_qmux init failure
X-Git-Tag: v3.4-dev13~16
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f521581922b0ca4b4f322b3fe1e337324063b757;p=thirdparty%2Fhaproxy.git

BUG/MINOR: prevent conn leak in case of xprt_qmux init failure

In case of XPRT_QMUX init failure on the frontend side, the connection
must immediately be released. This is not the case on the backend side
as a stream can supervize the connection lifetime.

This patch performs the connection free via conn_complete_session(). As
conn is flagged with CO_FL_ERROR, this will automatically fail and
invoke session_kill_embryonic(), which ensures the session and its
connection are both freed as wanted in this case.

No need to backport.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index dcc41124d..b74ee1952 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6977,16 +6977,24 @@ struct task *ssl_sock_io_cb(struct task *t, void *context, unsigned int state)
 					void *xprt_ctx_hs = NULL;
 
 					ret = ops->init(conn, &xprt_ctx_hs);
-					BUG_ON(ret);
+					/* Frontend conn must be freed in case of XPRT init failure. */
+					if (ret) {
+						if (!conn_is_back(conn)) {
+							conn->flags |= CO_FL_ERROR; /* Ensure conn will be freed on next call. */
+							ret = conn_complete_session(conn);
+							BUG_ON(ret >= 0); /* conn_complete_session() expected to fail on CO_FL_ERROR */
+							t = NULL;
+						}
+						goto leave;
+					}
 
 					ret = ops->add_xprt(conn, xprt_ctx_hs,
 					  conn->xprt_ctx, conn->xprt, NULL, NULL);
-					BUG_ON(ret);
+					BUG_ON(ret); /* xprt_qmux add_xprt always succeeds */
 
 					conn->xprt = ops;
 					conn->xprt_ctx = xprt_ctx_hs;
 
-
 					ret = conn->xprt->start(conn, xprt_ctx_hs);
 					BUG_ON(ret);
 				}