From 869fb457ed4aca542df68b58ab7d6914732f6ab5 Mon Sep 17 00:00:00 2001 From: Frederic Lecaille Date: Thu, 12 Jun 2025 10:59:35 +0200 Subject: [PATCH] BUG/MINOR: quic-be: CID double free upon qc_new_conn() failures This issue may occur when qc_new_conn() fails after having allocated and attached to its tree. This is the case when compiling haproxy against WolfSSL for an unknown reason at this time. In this case the is freed by pool_head_quic_connection_id(), then freed again by quic_conn_release(). This bug arrived with this commit: MINOR: quic-be: QUIC connection allocation adaptation (qc_new_conn()) So, the aim of this patch is to free only for QUIC backends and if it is not attached to its tree. This is the case when local variable passed with NULL value to qc_new_conn() is then intialized to the same value. --- src/quic_conn.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/quic_conn.c b/src/quic_conn.c index 90c1a1db0..82cec926d 100644 --- a/src/quic_conn.c +++ b/src/quic_conn.c @@ -1351,7 +1351,15 @@ struct quic_conn *qc_new_conn(const struct quic_version *qv, int ipv4, return qc; err: - pool_free(pool_head_quic_connection_id, conn_id); + if (!l && !conn_id) { + /* For QUIC clients, is locally used and initialized to + * value as soon as this latter is attached to the CIDs tree. It must + * be freed only if it has not been attached to this tree. This is + * quic_conn_release() which free this CID when it is attached to the tree. + */ + pool_free(pool_head_quic_connection_id, conn_id); + } + quic_conn_release(qc); /* Decrement global counters. Done only for errors happening before or