BUG/MINOR: mux_quic: prevent crash on qc_frm_free() with QMux

qc_frm_free() is a helper used to clean up a QUIC frame object. It is
used by MUX layer both for QUIC and QMux protocols.

This function takes a pointer to the underlying quic_conn, used only for
trace purpose. This patch fixes its usage for QMux to ensure that in
this case a NULL value is used.

No need to backport.

diff --git a/src/mux_quic.c b/src/mux_quic.c
index 0b0040d9c00ceca1dd3a2f6aed918466a11eccef..dcabe1ea9e845175fcf02038098ea22ce48ba177 100644 (file)
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@@ -2668,7 +2668,7 @@ static int qcs_send_reset(struct qcs *qcs)
        LIST_APPEND(&frms, &frm->list);
        if (qcc_send_frames(qcs->qcc, &frms, 0)) {
                if (!LIST_ISEMPTY(&frms))
-                       qc_frm_free(qcs->qcc->conn->handle.qc, &frm);
+                       qc_frm_free(conn_is_quic(qcs->qcc->conn) ? qcs->qcc->conn->handle.qc : NULL, &frm);
                TRACE_DEVEL("cannot send RESET_STREAM", QMUX_EV_QCS_SEND, qcs->qcc->conn, qcs);
                return 1;
        }
@@ -2719,7 +2719,7 @@ static int qcs_send_stop_sending(struct qcs *qcs)
        LIST_APPEND(&frms, &frm->list);
        if (qcc_send_frames(qcs->qcc, &frms, 0)) {
                if (!LIST_ISEMPTY(&frms))
-                       qc_frm_free(qcc->conn->handle.qc, &frm);
+                       qc_frm_free(conn_is_quic(qcc->conn) ? qcc->conn->handle.qc : NULL, &frm);
                TRACE_DEVEL("cannot send STOP_SENDING", QMUX_EV_QCS_SEND, qcs->qcc->conn, qcs);
                return 1;
        }
@@ -3493,7 +3493,7 @@ static void qcc_release(struct qcc *qcc)
 
        while (!LIST_ISEMPTY(&qcc->lfctl.frms)) {
                struct quic_frame *frm = LIST_ELEM(qcc->lfctl.frms.n, struct quic_frame *, list);
-               qc_frm_free(qcc->conn->handle.qc, &frm);
+               qc_frm_free(conn_is_quic(qcc->conn) ? qcc->conn->handle.qc : 0, &frm);
        }
 
        qcc_clear_frms(qcc);