From 1759c972550aa3350a333ec35814443f6cf189b7 Mon Sep 17 00:00:00 2001
From: Olivier Houchard <ohouchard@haproxy.com>
Date: Wed, 10 Sep 2025 11:40:32 +0200
Subject: [PATCH] BUG/MEDIUM: ssl: Fix a crash when using QUIC

Commit 5ab9954faa9c815425fa39171ad33e75f4f7d56f introduced a new flag in
ssl_sock_ctx, to know that an ALPN was negociated, however, the way to
get the ssl_sock_ctx was wrong for QUIC. If we're using QUIC, get it
from the quic_conn.
This should fix crashes when attempting to use QUIC.
---
 src/ssl_sock.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 69dd4e70e..bc3008a1b 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2179,13 +2179,17 @@ static int ssl_sock_advertise_alpn_protos(SSL *s, const unsigned char **out,
 {
 	struct ssl_bind_conf *conf = arg;
 	struct connection *conn;
-	struct ssl_sock_ctx *ctx;
+	struct ssl_sock_ctx *ctx = NULL;
 
 #ifdef USE_QUIC
 	struct quic_conn *qc = SSL_get_ex_data(s, ssl_qc_app_data_index);
+	if (qc)
+		ctx = qc->xprt_ctx;
 #endif
-	conn = SSL_get_ex_data(s, ssl_app_data_index);
-	ctx = __conn_get_ssl_sock_ctx(conn);
+	if (!ctx) {
+		conn = SSL_get_ex_data(s, ssl_app_data_index);
+		ctx = __conn_get_ssl_sock_ctx(conn);
+	}
 
 	if (SSL_select_next_proto((unsigned char**) out, outlen, (const unsigned char *)conf->alpn_str,
 	                          conf->alpn_len, server, server_len) != OPENSSL_NPN_NEGOTIATED) {
@@ -2203,7 +2207,8 @@ static int ssl_sock_advertise_alpn_protos(SSL *s, const unsigned char **out,
 	}
 #endif
 
-	ctx->flags |= SSL_SOCK_F_HAS_ALPN;
+	if (ctx)
+		ctx->flags |= SSL_SOCK_F_HAS_ALPN;
 	return SSL_TLSEXT_ERR_OK;
 }
 #endif