From ca5511f02272bb57504539fb8a297fe6a2e446be Mon Sep 17 00:00:00 2001 From: Frederic Lecaille Date: Wed, 20 Aug 2025 15:36:18 +0200 Subject: [PATCH] BUG/MEDIUM: quic-be: do not initialize ->conn too early This bug arrived with this commit: BUG/MEDIUM: quic: do not release BE quic-conn prior to upper conn which added a BUG_ON(qc->conn) statement at the beginning of quic_conn_release(). It is triggered if the connection is not released before releasing the quic_conn. But this is always the case for a backend quic_conn when its allocation from qc_new_conn() fails. Such crashes could be reproduced with -dMfail option. To reach them, the memory allocations must fail. So, this is relatively rare, except on systems with limited memory. To fix this, simply set ->conn quic_conn struct member to a not null value (the one passed as parameter) after the quic_conn allocation has succeeded. No backport needed. --- src/quic_conn.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/quic_conn.c b/src/quic_conn.c index ab9557d09..e9be5540e 100644 --- a/src/quic_conn.c +++ b/src/quic_conn.c @@ -1145,7 +1145,8 @@ struct quic_conn *qc_new_conn(const struct quic_version *qv, int ipv4, qc->idle_timer_task = NULL; qc->xprt_ctx = NULL; - qc->conn = conn; + /* We must not free the quic-conn if upper conn is still allocated. */ + qc->conn = NULL; qc->qcc = NULL; qc->app_ops = NULL; qc->path = NULL; @@ -1355,6 +1356,7 @@ struct quic_conn *qc_new_conn(const struct quic_version *qv, int ipv4, if (!qc_new_isecs(qc, &qc->iel->tls_ctx, qc->original_version, dcid->data, dcid->len, !!l)) goto err; + qc->conn = conn; /* Counters initialization */ memset(&qc->cntrs, 0, sizeof qc->cntrs);