From 2715dbe9d065d8700a8fba6e2605a451cfbb72b8 Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Mon, 17 Feb 2025 10:54:41 +0100 Subject: [PATCH] BUG/MINOR: mux-quic: prevent crash after MUX init failure qmux_init() may fail for several reasons. In this case, connection resources are freed and underlying and a CONNECTION_CLOSE will be emitted via its quic_conn instance. In case of qmux_init() failure, qcc_release() is used to clean up resources, but QCC member is first resetted to NULL, as connection released must be delayed. Some cleanup operations are thus skipped, one of them is the resetting of connection member to NULL. This may cause a crash as is a dangling pointer after QCC release. One of the possible reproducer is to activate QMUX traces, which will cause a segfault on the qmux_init() error leave trace. To fix this, simply reset to NULL manually on qmux_init() failure. This must be backported up to 3.0. --- src/mux_quic.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/mux_quic.c b/src/mux_quic.c index d3beee730..3bf9577ce 100644 --- a/src/mux_quic.c +++ b/src/mux_quic.c @@ -3190,6 +3190,7 @@ static int qmux_init(struct connection *conn, struct proxy *prx, /* In case of MUX init failure, session will ensure connection is freed. */ qcc->conn = NULL; qcc_release(qcc); + conn->ctx = NULL; } TRACE_DEVEL("leaving on error", QMUX_EV_QCC_NEW, conn);