From 0e5e197f2a071490e0f8f61e76beb230cefed600 Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Mon, 17 Feb 2025 17:15:49 +0100 Subject: [PATCH] BUG/MINOR: quic: prevent crash on conn access after MUX init failure Initially, QUIC-MUX was responsible to reset quic_conn member to NULL when MUX was released. This was performed via qcc_release(). However, qcc_release() is also used on qmux_init() failure. In this case, connection must be freed via its session, so QCC member is resetted to NULL prior to qcc_release(), which prevents quic_conn member to also be resetted. As the connection is freed soon after, quic_conn is a dangling pointer, which may cause crashes. This bug should be very rare as first it implies that QUIC-MUX initialization has failed (for example due to a memory alloc error). Also, member is rarely used by quic_conn instance. In fact, the only reproducible crash was done with QUIC traces activated, as in this case connection is accessed via quic_conn under __trace_enabled() function. To fix this, detach connection from quic_conn via the XPRT layer instead of the MUX. More precisely, this is performed via quic_close(). This should ensure that it will always be conducted, either on normal connection closure, but also after special conditions such as MUX init failure. This should be backported up to 2.6. (cherry picked from commit 2cdc4695cb82fce46d67cef17300ec7cf978906e) Signed-off-by: Willy Tarreau (cherry picked from commit 82e7d79e727b148afae59592931fd0191c5eb1c5) Signed-off-by: Amaury Denoyelle --- src/mux_quic.c | 1 - src/xprt_quic.c | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/mux_quic.c b/src/mux_quic.c index 3593b00..57dc23e 100644 --- a/src/mux_quic.c +++ b/src/mux_quic.c @@ -2638,7 +2638,6 @@ static void qcc_release(struct qcc *qcc) if (conn) { LIST_DEL_INIT(&conn->stopping_list); - conn->handle.qc->conn = NULL; conn->mux = NULL; conn->ctx = NULL; diff --git a/src/xprt_quic.c b/src/xprt_quic.c index d6d1a16..dcca435 100644 --- a/src/xprt_quic.c +++ b/src/xprt_quic.c @@ -25,6 +25,8 @@ static void quic_close(struct connection *conn, void *xprt_ctx) TRACE_ENTER(QUIC_EV_CONN_CLOSE, qc); + qc->conn = NULL; + /* Next application data can be dropped. */ qc->mux_state = QC_MUX_RELEASED; -- 1.7.10.4