From 74058745556a59d112914d6cf33f337d8d435cd7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= Date: Mon, 3 Jul 2023 10:40:32 +0200 Subject: [PATCH] BUG/MINOR: quic: Missing QUIC connection path member initialization This bug was introduced by this commit: MINOR: quic: Remove pool_zalloc() from qc_new_conn(). If ->path is not initialized to NULL value, and if a QUIC connection object allocation has failed (from qc_new_conn()), haproxy could crash in quic_conn_prx_cntrs_update() when dereferencing this QUIC connection member. No backport needed. --- src/quic_conn.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/quic_conn.c b/src/quic_conn.c index c205c351e..15a8d945b 100644 --- a/src/quic_conn.c +++ b/src/quic_conn.c @@ -5480,6 +5480,7 @@ static struct quic_conn *qc_new_conn(const struct quic_version *qv, int ipv4, qc->conn = NULL; qc->qcc = NULL; qc->app_ops = NULL; + qc->path = NULL; /* Keyupdate: required to safely call quic_tls_ku_free() from * quic_conn_release(). @@ -5652,7 +5653,11 @@ static inline void quic_conn_prx_cntrs_update(struct quic_conn *qc) HA_ATOMIC_ADD(&qc->prx_counters->sendto_err, qc->cntrs.sendto_err); HA_ATOMIC_ADD(&qc->prx_counters->sendto_err_unknown, qc->cntrs.sendto_err_unknown); HA_ATOMIC_ADD(&qc->prx_counters->sent_pkt, qc->cntrs.sent_pkt); - HA_ATOMIC_ADD(&qc->prx_counters->lost_pkt, qc->path->loss.nb_lost_pkt); + /* It is possible that ->path was not initialized. For instance if a + * QUIC connection allocation has failed. + */ + if (qc->path) + HA_ATOMIC_ADD(&qc->prx_counters->lost_pkt, qc->path->loss.nb_lost_pkt); HA_ATOMIC_ADD(&qc->prx_counters->conn_migration_done, qc->cntrs.conn_migration_done); /* Stream related counters */ HA_ATOMIC_ADD(&qc->prx_counters->data_blocked, qc->cntrs.data_blocked);