From 8a8417b54af22e9d95998bb52ccb28a15cc7473f Mon Sep 17 00:00:00 2001
From: Frederic Lecaille <flecaille@haproxy.com>
Date: Fri, 17 Oct 2025 11:04:36 +0200
Subject: [PATCH] BUG/MAJOR: quic: do not reset QUIC backends fds in closing
 state

This bug impacts only the backends.

When entering the closing state, a quic_closed_conn is used to replace the quic_conn.
In this state, the ->fd value was reset to -1 value calling qc_init_fd(). This value
is used by qc_may_use_saddr() which supposes it cannot be -1 for a backend, leading
->li to be dereferencd, which is legal only for a listener.

This bug impacts only the backend but with possible crash when qc_may_use_saddr()
is called: qc_test_fd() is false leading qc->li to be dereferenced. This is legal
only for a listener.

This patch prevents such fd value resettings for backends.

No need to backport because the QUIC backends support arrived with 3.3.
---
 src/quic_conn.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/quic_conn.c b/src/quic_conn.c
index af17d43f0..f94a6b7dc 100644
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -724,7 +724,10 @@ static struct quic_conn_closed *qc_new_cc_conn(struct quic_conn *qc)
 
 	quic_conn_mv_cids_to_cc_conn(cc_qc, qc);
 
-	qc_init_fd((struct quic_conn *)cc_qc);
+	if (qc_is_back(qc))
+		cc_qc->fd = qc->fd;
+	else
+		qc_init_fd((struct quic_conn *)cc_qc);
 
 	cc_qc->flags = qc->flags;
 	cc_qc->err = qc->err;