BUG/MINOR: quic: prevent crash on conn access after MUX init failure

Initially, QUIC-MUX was responsible to reset quic_conn <conn> member to NULL when MUX was released. This was performed via qcc_release(). However, qcc_release() is also used on qmux_init() failure. In this case, connection must be freed via its session, so QCC <conn> member is resetted to NULL prior to qcc_release(), which prevents quic_conn <conn> member to also be resetted. As the connection is freed soon after, quic_conn <conn> is a dangling pointer, which may cause crashes. This bug should be very rare as first it implies that QUIC-MUX initialization has failed (for example due to a memory alloc error). Also, <conn> member is rarely used by quic_conn instance. In fact, the only reproducible crash was done with QUIC traces activated, as in this case connection is accessed via quic_conn under __trace_enabled() function. To fix this, detach connection from quic_conn via the XPRT layer instead of the MUX. More precisely, this is performed via quic_close(). This should ensure that it will always be conducted, either on normal connection closure, but also after special conditions such as MUX init failure. This should be backported up to 2.6.
2025-02-17 17:15:49 +01:00 · 2025-02-17 17:15:49 +01:00 · 2cdc4695cb
commit 2cdc4695cb
parent 607aa57b2e
2 changed files with 2 additions and 1 deletions
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@ -2888,7 +2888,6 @@ static void qcc_release(struct qcc *qcc)
 	if (conn) {
 		LIST_DEL_INIT(&conn->stopping_list);

-		conn->handle.qc->conn = NULL;
 		conn->mux = NULL;
 		conn->ctx = NULL;

--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@ -25,6 +25,8 @@ static void quic_close(struct connection *conn, void *xprt_ctx)

 	TRACE_ENTER(QUIC_EV_CONN_CLOSE, qc);

+	qc->conn = NULL;
+
 	/* Next application data can be dropped. */
 	qc->mux_state = QC_MUX_RELEASED;