From d358da4d83789ac86d3631dd6552a898dec1338b Mon Sep 17 00:00:00 2001
From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Mon, 19 May 2025 11:02:46 +0200
Subject: [PATCH] BUG/MINOR: quic: fix crash on quic_conn alloc failure

If there is an alloc failure during qc_new_conn(), cleaning is done via
quic_conn_release(). However, since the below commit, an unchecked
dereferencing of <qc.path> is performed in the latter.

  e841164a4402118bd7b2e2dc2b5068f21de5d9d2
  MINOR: quic: account for global congestion window

To fix this, simply check <qc.path> before dereferencing it in
quic_conn_release(). This is safe as it is properly initialized to NULL
on qc_new_conn() first stage.

This does not need to be backported.
---
 src/quic_conn.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/quic_conn.c b/src/quic_conn.c
index 5b04dbfc1..5feda3b3e 100644
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -1448,8 +1448,10 @@ int quic_conn_release(struct quic_conn *qc)
 	}
 
 	/* Substract last congestion window from global memory counter. */
-	cshared_add(&quic_mem_diff, -qc->path->cwnd);
-	qc->path->cwnd = 0;
+	if (qc->path) {
+		cshared_add(&quic_mem_diff, -qc->path->cwnd);
+		qc->path->cwnd = 0;
+	}
 
 	/* free remaining stream descriptors */
 	node = eb64_first(&qc->streams_by_id);