From 90d0e8a94847ec0d7074b99bc383f799c95b30f1 Mon Sep 17 00:00:00 2001
From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Wed, 8 Apr 2026 14:58:08 +0200
Subject: [PATCH] BUG/MINOR: mux-quic: fix potential NULL deref on
 qcc_release()

In qcc_release(), <conn> may be NULL. Thus every access on it must be
tested.

With recent QMux introduction, a call to conn_is_quic() has been added
prior to registration of the stream rejection callback. It could lead to
NULL deref as <conn> is not tested there. Fix this by adding an extra
check on the pointer validity.

No need to backport.
---
 src/mux_quic.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/mux_quic.c b/src/mux_quic.c
index 732a33671..234dfe1c0 100644
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@@ -3463,7 +3463,7 @@ static void qcc_release(struct qcc *qcc)
 	if (qcc->app_ops) {
 		if (qcc->app_ops->release)
 			qcc->app_ops->release(qcc->ctx);
-		if (conn_is_quic(conn) && conn->handle.qc)
+		if (conn && conn_is_quic(conn) && conn->handle.qc)
 			conn->handle.qc->strm_reject = qcc->app_ops->strm_reject;
 	}
 	TRACE_PROTO("application layer released", QMUX_EV_QCC_END, conn);