From d3973853c2123c7e55f222c3d68fe3441ee1badc Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Mon, 25 Jul 2022 14:56:54 +0200 Subject: [PATCH] BUG/MINOR: mux-quic: prevent crash if conn released during IO callback A qcc instance may be freed in the middle of qc_io_cb() if all streams were purged. This will lead to a crash as qcc instance is reused after this step. Jump directly to the end of the function to avoid this. Note that this bug has not been triggered for the moment. This is a safety fix to prevent it. This must be backported up to 2.6. --- src/mux_quic.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/mux_quic.c b/src/mux_quic.c index d4851570c3..5580d46fb1 100644 --- a/src/mux_quic.c +++ b/src/mux_quic.c @@ -1673,6 +1673,7 @@ static struct task *qc_io_cb(struct task *t, void *ctx, unsigned int status) if (qc_purge_streams(qcc)) { if (qcc_is_dead(qcc)) { qc_release(qcc); + goto end; } else if (qcc->task) { if (qcc_may_expire(qcc)) @@ -1685,6 +1686,7 @@ static struct task *qc_io_cb(struct task *t, void *ctx, unsigned int status) qc_recv(qcc); + end: TRACE_LEAVE(QMUX_EV_QCC_WAKE); return NULL;