From 5718c67c19766c87bb68b7624e1873a887fbbaf1 Mon Sep 17 00:00:00 2001
From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Thu, 20 Jun 2024 17:51:35 +0200
Subject: [PATCH] BUG/MINOR: h3: fix BUG_ON() crash on control stream alloc
 failure

BUG_ON() from qcc_set_error() is triggered on HTTP/3 control stream
allocation failure. This is caused because both h3_finalize() and
qcc_init_stream_local() call qcc_set_error() which is forbidden to
prevent error code erasure.

Fix this by removing qcc_set_error() invocation from h3_finalize() on
allocation failure. Note that this function is still responsible to use
it on SETTING frame emission failure.

This was detected using -dMfail.

This must be backported up to 3.0.
---
 src/h3.c       | 7 +++++--
 src/mux_quic.c | 2 +-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/h3.c b/src/h3.c
index 3c9463d92..2aa4fa78e 100644
--- a/src/h3.c
+++ b/src/h3.c
@@ -2378,20 +2378,23 @@ static int h3_finalize(void *ctx)
 
 	qcs = qcc_init_stream_local(qcc, 0);
 	if (!qcs) {
+		/* Error must be set by qcc_init_stream_local(). */
+		BUG_ON(!(qcc->flags & QC_CF_ERRL));
 		TRACE_ERROR("cannot init control stream", H3_EV_H3C_NEW, qcc->conn);
 		goto err;
 	}
 
 	h3c->ctrl_strm = qcs;
 
-	if (h3_control_send(qcs, h3c) < 0)
+	if (h3_control_send(qcs, h3c) < 0) {
+		qcc_set_error(qcc, H3_ERR_INTERNAL_ERROR, 1);
 		goto err;
+	}
 
 	TRACE_LEAVE(H3_EV_H3C_NEW, qcc->conn);
 	return 0;
 
  err:
-	qcc_set_error(qcc, H3_ERR_INTERNAL_ERROR, 1);
 	TRACE_DEVEL("leaving on error", H3_EV_H3C_NEW, qcc->conn);
 	return 1;
 }
diff --git a/src/mux_quic.c b/src/mux_quic.c
index 2b408cecf..8e7f1c326 100644
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@@ -617,8 +617,8 @@ struct qcs *qcc_init_stream_local(struct qcc *qcc, int bidi)
 
 	qcs = qcs_new(qcc, *next, type);
 	if (!qcs) {
-		TRACE_LEAVE(QMUX_EV_QCS_NEW, qcc->conn);
 		qcc_set_error(qcc, QC_ERR_INTERNAL_ERROR, 0);
+		TRACE_DEVEL("leaving on error", QMUX_EV_QCS_NEW, qcc->conn);
 		return NULL;
 	}