From ee65efbfaea35df4038ec9a9a0fb8c63ad0eb0cc Mon Sep 17 00:00:00 2001
From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Fri, 12 May 2023 16:29:48 +0200
Subject: [PATCH] BUG/MINOR: mux-quic: free task on qc_init() app ops failure

qc_init() is used to initialize a QUIC MUX instance. On failure, each
resources are released via a series of goto statements. There is one
issue if the app_ops.init callback fails. In this case, MUX task is not
freed.

This can cause a crash as the task is already scheduled. When the
handler will run, it will crash when trying to access qcc instance.

To fix this, properly destroy qcc task on fail_install_app_ops label.

The impact of this bug is minor as app_ops.init callback succeeds most
of the time. However, it may fail on allocation failure due to memory
exhaustion.

This may fix github issue #2154.

This must be backported up to 2.7.
---
 src/mux_quic.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/mux_quic.c b/src/mux_quic.c
index 15fd5702b..1ac995679 100644
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@@ -2569,6 +2569,7 @@ static int qc_init(struct connection *conn, struct proxy *prx,
  fail_install_app_ops:
 	if (qcc->app_ops && qcc->app_ops->release)
 		qcc->app_ops->release(qcc->ctx);
+	task_destroy(qcc->task);
  fail_no_timeout_task:
 	tasklet_free(qcc->wait_event.tasklet);
  fail_no_tasklet: