MINOR: h3: fix potential NULL dereference

Fix potential allocation failure of HTX start-line during H3 request
decoding. In this case, h3_decode_qcs returns -1 as error code.

This addresses in part github issue #1445.

src/h3.c

@@ -93,7 +93,9 @@ static inline size_t h3_decode_frm_header(uint64_t *ftype, uint64_t *flen,
 	return hlen;
 }
 
-/* Decode <qcs> remotely initiated bidi-stream */
+/* Decode <qcs> remotely initiated bidi-stream.
+ * Returns <0 on error else 0.
+ */
 static int h3_decode_qcs(struct qcs *qcs, void *ctx)
 {
 	struct buffer *rxbuf = &qcs->rx.buf;
@@ -171,6 +173,8 @@ static int h3_decode_qcs(struct qcs *qcs, void *ctx)
 			flags |= HTX_SL_F_VER_11;
 
 			sl = htx_add_stline(htx, HTX_BLK_REQ_SL, flags, meth, path, ist("HTTP/3.0"));
+			if (!sl)
+				goto fail;
 			sl->flags |= HTX_SL_F_BODYLESS;
 			sl->info.req.meth = find_http_meth(meth.ptr, meth.len);
 			BUG_ON(sl->info.req.meth == HTTP_METH_OTHER);
@@ -215,7 +219,10 @@ static int h3_decode_qcs(struct qcs *qcs, void *ctx)
 		b_del(rxbuf, flen);
 	}
 
-	return 1;
+	return 0;
+
+ fail:
+	return -1;
 }
 
 /* Parse a SETTINGS frame which must not be truncated with <flen> as length from

src/xprt_quic.c

@@ -1828,7 +1828,7 @@ static int qc_handle_bidi_strm_frm(struct quic_rx_packet *pkt,
 		    goto store_frm;
 
 		ret = qc_strm_cpy(&strm->rx.buf, strm_frm);
-		if (ret && qc->qcc->app_ops->decode_qcs(strm, qc->qcc->ctx) == -1) {
+		if (ret && qc->qcc->app_ops->decode_qcs(strm, qc->qcc->ctx) < 0) {
 			TRACE_PROTO("Decoding error", QUIC_EV_CONN_PSTRM);
 			return 0;
 		}