1berry/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

BUG/MINOR: mux-quic: prevent crash after MUX init failure

Browse Source 
qmux_init() may fail for several reasons. In this case, connection
resources are freed and underlying and a CONNECTION_CLOSE will be
emitted via its quic_conn instance.

In case of qmux_init() failure, qcc_release() is used to clean up
resources, but QCC <conn> member is first resetted to NULL, as
connection released must be delayed. Some cleanup operations are thus
skipped, one of them is the resetting of <ctx> connection member to
NULL. This may cause a crash as <ctx> is a dangling pointer after QCC
release. One of the possible reproducer is to activate QMUX traces,
which will cause a segfault on the qmux_init() error leave trace.

To fix this, simply reset <ctx> to NULL manually on qmux_init() failure.

This must be backported up to 3.0.
This commit is contained in:
Amaury Denoyelle 2025-02-17 10:54:41 +01:00
parent 2cdc4695cb
commit 2715dbe9d0
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/mux_quic.c
View File

@ -3190,6 +3190,7 @@ static int qmux_init(struct connection *conn, struct proxy *prx,
/* In case of MUX init failure, session will ensure connection is freed. */ /* In case of MUX init failure, session will ensure connection is freed. */
qcc->conn = NULL; qcc->conn = NULL;
qcc_release(qcc); qcc_release(qcc);
conn->ctx = NULL;
} }
TRACE_DEVEL("leaving on error", QMUX_EV_QCC_NEW, conn); TRACE_DEVEL("leaving on error", QMUX_EV_QCC_NEW, conn);