From 8038821c889a526bf228fd660e8e41f3bef2a775 Mon Sep 17 00:00:00 2001
From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Fri, 8 Apr 2022 12:00:12 +0200
Subject: [PATCH] BUG/MEDIUM: mux-quic: properly release conn-stream on detach

On qc_detach(), the qcs must cleared the conn-stream context and set its
cs pointer to NULL. This prevents the qcs to point to a dangling
reference.

Without this, a SEGFAULT may occurs in qc_wake_some_streams() when
accessing an already detached conn-stream instance through a qcs.

Here is the SEGFAULT observed on haproxy.org.
 Program terminated with signal 11, Segmentation fault.
 1234                            else if (qcs->cs->data_cb->wake) {
 (gdb) p qcs.cs.data_cb
 $1 = (const struct data_cb *) 0x0

This can happens since the following patch :
 commit fe035eca3a24ea0f031fdcdad23809bea5de32e4
 MEDIUM: mux-quic: report errors on conn-streams
---
 src/mux_quic.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/mux_quic.c b/src/mux_quic.c
index b9131890d..3e3238891 100644
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@@ -1061,6 +1061,8 @@ static void qc_detach(struct conn_stream *cs)
 
 	TRACE_ENTER(QMUX_EV_STRM_END, qcc->conn, qcs);
 
+	cs->ctx = NULL;
+	qcs->cs = NULL;
 	--qcc->nb_cs;
 
 	if ((b_data(&qcs->tx.buf) || qcs->tx.offset > qcs->tx.sent_offset) &&