mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-10-27 06:31:23 +01:00
Code Issues Projects Releases Wiki Activity

BUG/MAJOR: quic: do not reset QUIC backends fds in closing state

Browse Source 
This bug impacts only the backends.

When entering the closing state, a quic_closed_conn is used to replace the quic_conn.
In this state, the ->fd value was reset to -1 value calling qc_init_fd(). This value
is used by qc_may_use_saddr() which supposes it cannot be -1 for a backend, leading
->li to be dereferencd, which is legal only for a listener.

This bug impacts only the backend but with possible crash when qc_may_use_saddr()
is called: qc_test_fd() is false leading qc->li to be dereferenced. This is legal
only for a listener.

This patch prevents such fd value resettings for backends.

No need to backport because the QUIC backends support arrived with 3.3.
This commit is contained in:
Frederic Lecaille 2025-10-17 11:04:36 +02:00
parent 56d15b2a03
commit 8a8417b54a
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/quic_conn.c
View File

@ -724,7 +724,10 @@ static struct quic_conn_closed *qc_new_cc_conn(struct quic_conn *qc)
quic_conn_mv_cids_to_cc_conn(cc_qc, qc); quic_conn_mv_cids_to_cc_conn(cc_qc, qc);
qc_init_fd((struct quic_conn *)cc_qc); if (qc_is_back(qc))
cc_qc->fd = qc->fd;
else
qc_init_fd((struct quic_conn *)cc_qc);
cc_qc->flags = qc->flags; cc_qc->flags = qc->flags;
cc_qc->err = qc->err; cc_qc->err = qc->err;