From 641a65ff3cccd394eed49378c6ccdb8ba0a101a7 Mon Sep 17 00:00:00 2001
From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Wed, 7 Dec 2022 11:26:16 +0100
Subject: [PATCH] BUG/MINOR: mux-quic: remove qcs from opening-list on free

qcs instances for bidirectional streams are inserted in
<qcc.opening_list>. It is removed from the list once a full HTTP request
has been parsed. This is required to implement http-request timeout.

If a qcs instance is freed before receiving a full HTTP request, it must
be removed from the <qcc.opening_list>. Else a segfault will occur in
qcc_refresh_timeout() when accessing a dangling pointer.

For the moment this bug was not reproduced in production. This is
because there exists only few rare cases where a qcs is freed before
HTTP request parsing. However, as error detection will be improved on
H3, this will occur more frequently in the near future.

This must be backported up to 2.6.
---
 src/mux_quic.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/mux_quic.c b/src/mux_quic.c
index 9d7bcf5f96..04037a0f49 100644
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@@ -155,6 +155,9 @@ static void qcs_free(struct qcs *qcs)
 
 	TRACE_ENTER(QMUX_EV_QCS_END, qcc->conn, qcs);
 
+	if (LIST_INLIST(&qcs->el_opening))
+		LIST_DELETE(&qcs->el_opening);
+
 	qc_free_ncbuf(qcs, &qcs->rx.ncbuf);
 	b_free(&qcs->tx.buf);
 
-- 
2.47.3