From 35a66c0a367ec773d155ef1d380e8c9d2598afa8 Mon Sep 17 00:00:00 2001
From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Fri, 12 Aug 2022 15:56:21 +0200
Subject: [PATCH] BUG/MINOR: mux-quic: fix crash with traces in qc_detach()

qc_detach() is used to free a qcs as notified by sedesc. If there is no
more stream active and the connection is considered as dead, it will
then be freed. This prevent to dereference qcc in TRACE macro. Else this
will cause a crash.

Use a different code-path on release for qc_detach() to fix this bug.

This will fix the last occurence of crash on github issue #1808.

This has been introduced by recent QUIC MUX traces rework. Thus, it does
not need to be backport.
---
 src/mux_quic.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/mux_quic.c b/src/mux_quic.c
index 196f682c2..57d7fdb2e 100644
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@@ -2099,7 +2099,7 @@ static void qc_detach(struct sedesc *sd)
 
 	if (qcc_is_dead(qcc)) {
 		TRACE_STATE("killing dead connection", QMUX_EV_STRM_END, qcc->conn);
-		qc_release(qcc);
+		goto release;
 	}
 	else if (qcc->task) {
 		TRACE_DEVEL("refreshing connection's timeout", QMUX_EV_STRM_END, qcc->conn);
@@ -2110,6 +2110,12 @@ static void qc_detach(struct sedesc *sd)
 	}
 
 	TRACE_LEAVE(QMUX_EV_STRM_END, qcc->conn);
+	return;
+
+ release:
+	qc_release(qcc);
+	TRACE_LEAVE(QMUX_EV_STRM_END);
+	return;
 }
 
 /* Called from the upper layer, to receive data */