From d52466726fec5d9eb97ab1aa1c94e02d40767f43 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= <flecaille@haproxy.com>
Date: Mon, 4 Sep 2023 10:23:12 +0200
Subject: [PATCH] BUG/MINOR: quic: Unchecked pointer to packet number space
 dereferenced

It is possible that there are still Initial crypto data in flight without
Handshake crypto data in flight. This is very rare but possible.

This issue was reported by long-rtt interop test with quic-go as client
and @chipitsine in GH #2276.

No need to backport.
---
 src/quic_conn.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/quic_conn.c b/src/quic_conn.c
index a2e85d8df..be65c2e20 100644
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -1094,7 +1094,7 @@ struct task *qc_process_timer(struct task *task, void *ctx, unsigned int state)
 			else {
 				TRACE_STATE("Cannot probe Initial packet number space", QUIC_EV_CONN_TXPKT, qc);
 			}
-			if (qc->hpktns->tx.in_flight) {
+			if (qc->hpktns && qc->hpktns->tx.in_flight) {
 				qc->flags |= QUIC_FL_CONN_RETRANS_NEEDED;
 				qc->hpktns->flags |= QUIC_FL_PKTNS_PROBE_NEEDED;
 				TRACE_STATE("needs to probe Handshake packet number space", QUIC_EV_CONN_TXPKT, qc);