From 7eadf362f32dac4f44b72308447e3281df3d69a7 Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Mon, 17 Feb 2025 10:54:41 +0100 Subject: [PATCH] BUG/MINOR: mux-quic: prevent crash after MUX init failure qmux_init() may fail for several reasons. In this case, connection resources are freed and underlying and a CONNECTION_CLOSE will be emitted via its quic_conn instance. In case of qmux_init() failure, qcc_release() is used to clean up resources, but QCC member is first resetted to NULL, as connection released must be delayed. Some cleanup operations are thus skipped, one of them is the resetting of connection member to NULL. This may cause a crash as is a dangling pointer after QCC release. One of the possible reproducer is to activate QMUX traces, which will cause a segfault on the qmux_init() error leave trace. To fix this, simply reset to NULL manually on qmux_init() failure. This must be backported up to 3.0. (cherry picked from commit 2715dbe9d065d8700a8fba6e2605a451cfbb72b8) Signed-off-by: Willy Tarreau (cherry picked from commit e02d842f091e79dd58a13c0c12c7d72affc131cd) Signed-off-by: Amaury Denoyelle --- src/mux_quic.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/mux_quic.c b/src/mux_quic.c index 57dc23e..8da7a65 100644 --- a/src/mux_quic.c +++ b/src/mux_quic.c @@ -2873,6 +2873,7 @@ static int qmux_init(struct connection *conn, struct proxy *prx, /* In case of MUX init failure, session will ensure connection is freed. */ qcc->conn = NULL; qcc_release(qcc); + conn->ctx = NULL; } TRACE_DEVEL("leaving on error", QMUX_EV_QCC_NEW, conn); -- 1.7.10.4