From 63a6f26a861b8cd3430d964317db1276544024c0 Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Wed, 11 Oct 2023 16:04:35 +0200 Subject: [PATCH] BUG/MINOR: quic: fix free on quic-conn fail alloc qc_new_conn() allocates several elements in intermediary steps. If one of the fails, a global free is done on the quic_conn and its elements. This requires that most elements are first initialized to NULL or equivalent to ensure freeing operation is done only on proper values. Once of this element is qc.tx.cc_buf_area. It was initialized too late which could caused crashes. This is introduced by 9f7cfb0a56352188854bdaef9617ca836c2a30c9 MEDIUM: quic: Allow the quic_conn memory to be asap released. No need to backport. --- src/quic_conn.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/quic_conn.c b/src/quic_conn.c index f2957f4ed..a393e76c8 100644 --- a/src/quic_conn.c +++ b/src/quic_conn.c @@ -1184,6 +1184,7 @@ struct quic_conn *qc_new_conn(const struct quic_version *qv, int ipv4, /* Required to call free_quic_conn_cids() from quic_conn_release() */ qc->cids = NULL; + qc->tx.cc_buf_area = NULL; qc_init_fd(qc); LIST_INIT(&qc->back_refs);