From bbd83e3de90ffa06e7c3ae2edaf9f8b0eade0df1 Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Fri, 21 Nov 2025 11:06:38 +0100 Subject: [PATCH] BUG/MINOR: mux-quic: check access on qcs stream-endpoint Since the following commit, allocation of stream-endpoint has been delayed. The objective is to allocate it only for QCS attached to an upper stream object. commit e6064c561684d9b079e3b5725d38dc3b5c1b5cd5 OPTIM: mux-quic: delay FE sedesc alloc to stream creation However, some MUX functions are unsafe as qcs->sd is dereferenced without any check on it which will result in a crash. Fix this by testing that qcs->sd is allocated before using it. This does not need to be backported, unless the above patch is. --- src/mux_quic.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/src/mux_quic.c b/src/mux_quic.c index 2d6fb25b8..ee81fe492 100644 --- a/src/mux_quic.c +++ b/src/mux_quic.c @@ -2237,16 +2237,18 @@ int qcc_recv_stop_sending(struct qcc *qcc, uint64_t id, uint64_t err) } } - /* Manually set EOS if FIN already reached as futures RESET_STREAM will be ignored in this case. */ - if (qcs_sc(qcs) && se_fl_test(qcs->sd, SE_FL_EOI)) { - se_fl_set(qcs->sd, SE_FL_EOS); - qcs_alert(qcs); - } + if (qcs->sd) { + /* Manually set EOS if FIN already reached as futures RESET_STREAM will be ignored in this case. */ + if (qcs_sc(qcs) && se_fl_test(qcs->sd, SE_FL_EOI)) { + se_fl_set(qcs->sd, SE_FL_EOS); + qcs_alert(qcs); + } - /* If not defined yet, set abort info for the sedesc */ - if (!qcs->sd->abort_info.info) { - qcs->sd->abort_info.info = (SE_ABRT_SRC_MUX_QUIC << SE_ABRT_SRC_SHIFT); - qcs->sd->abort_info.code = err; + /* If not defined yet, set abort info for the sedesc */ + if (!qcs->sd->abort_info.info) { + qcs->sd->abort_info.info = (SE_ABRT_SRC_MUX_QUIC << SE_ABRT_SRC_SHIFT); + qcs->sd->abort_info.code = err; + } } /* RFC 9000 3.5. Solicited State Transitions @@ -3075,7 +3077,7 @@ static void qcc_wait_for_hs(struct qcc *qcc) node = eb64_first(&qcc->streams_by_id); while (node) { qcs = container_of(node, struct qcs, by_id); - if (se_fl_test(qcs->sd, SE_FL_WAIT_FOR_HS)) + if (qcs_sc(qcs) && se_fl_test(qcs->sd, SE_FL_WAIT_FOR_HS)) qcs_notify_recv(qcs); node = eb64_next(node); }