From 622ec4166b8d755a9dde9cd3024a2046dd555a48 Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Wed, 13 Apr 2022 16:58:26 +0200 Subject: [PATCH] BUG/MINOR: quic-sock: do not double free session on conn init failure In the quic_session_accept, connection is in charge to call the quic-conn start callback. If this callback fails for whatever reason, there is a crash because of an explicit session_free. This happens because the connection is now the owner of the session due to previous conn_complete_session call. It will automatically calls session_free. Fix this by skipping the session_free explicit invocation on error. In practice, currently this has never happened as there is only limited cases of failures for conn_xprt_start for QUIC. --- src/quic_sock.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/quic_sock.c b/src/quic_sock.c index 1aa001599..3baf3fd13 100644 --- a/src/quic_sock.c +++ b/src/quic_sock.c @@ -66,8 +66,16 @@ int quic_session_accept(struct connection *cli_conn) if (conn_complete_session(cli_conn) < 0) goto out_free_sess; - if (conn_xprt_start(cli_conn) >= 0) - return 1; + if (conn_xprt_start(cli_conn) < 0) { + /* conn_complete_session has succeeded : conn is the owner of + * the session and the MUX is initialized. + * Let the MUX free all resources on error. + */ + cli_conn->mux->destroy(cli_conn->ctx); + return -1; + } + + return 1; out_free_sess: /* prevent call to listener_release during session_free. It will be