BUG/MEDIUM: quic-be: do not initialize ->conn too early

This bug arrived with this commit: BUG/MEDIUM: quic: do not release BE quic-conn prior to upper conn which added a BUG_ON(qc->conn) statement at the beginning of quic_conn_release(). It is triggered if the connection is not released before releasing the quic_conn. But this is always the case for a backend quic_conn when its allocation from qc_new_conn() fails. Such crashes could be reproduced with -dMfail option. To reach them, the memory allocations must fail. So, this is relatively rare, except on systems with limited memory. To fix this, simply set ->conn quic_conn struct member to a not null value (the one passed as parameter) after the quic_conn allocation has succeeded. No backport needed.
2025-09-20 21:31:28 +02:00 · 2025-08-20 15:36:18 +02:00 · 2025-08-20 15:36:18 +02:00 · ca5511f022
commit ca5511f022
parent 8514647849
1 changed files with 3 additions and 1 deletions
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@ -1145,7 +1145,8 @@ struct quic_conn *qc_new_conn(const struct quic_version *qv, int ipv4,
 	qc->idle_timer_task = NULL;

 	qc->xprt_ctx = NULL;
-	qc->conn = conn;
+	 /* We must not free the quic-conn if upper conn is still allocated. */
+	qc->conn = NULL;
 	qc->qcc = NULL;
 	qc->app_ops = NULL;
 	qc->path = NULL;
@ -1355,6 +1356,7 @@ struct quic_conn *qc_new_conn(const struct quic_version *qv, int ipv4,
 	if (!qc_new_isecs(qc, &qc->iel->tls_ctx, qc->original_version, dcid->data, dcid->len, !!l))
 		goto err;

+	qc->conn = conn;
 	/* Counters initialization */
 	memset(&qc->cntrs, 0, sizeof qc->cntrs);