From 729196fbedad7bcc906a34a144a5fa4ffd2464dc Mon Sep 17 00:00:00 2001 From: Frederic Lecaille Date: Tue, 26 Aug 2025 10:26:14 +0200 Subject: [PATCH] BUG/MEDIUM: quic-be: avoid crashes when releasing Initial pktns This bug arrived with this fix: BUG/MINOR: quic-be: missing Initial packet number space discarding leading to crashes when dereferencing ->ipktns. Such crashes could be reproduced with -dMfail option. To reach them, the memory allocations must fail. So, this is relatively rare, except on systems with limited memory. To fix this, do not call quic_pktns_discard() if ->ipktns is NULL. No need to backport. --- src/quic_conn.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/quic_conn.c b/src/quic_conn.c index 311598392..7c0fcb7da 100644 --- a/src/quic_conn.c +++ b/src/quic_conn.c @@ -916,7 +916,7 @@ struct task *quic_conn_io_cb(struct task *t, void *context, unsigned int state) * discard Initial keys when it first sends a Handshake packet... */ - if (qc_is_back(qc) && !quic_tls_pktns_is_dcd(qc, qc->ipktns) && + if (qc_is_back(qc) && qc->ipktns && !quic_tls_pktns_is_dcd(qc, qc->ipktns) && qc->hpktns && qc->hpktns->tx.in_flight > 0) { /* Discard the Initial packet number space. */ TRACE_PROTO("discarding Initial pktns", QUIC_EV_CONN_PRSHPKT, qc);