mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-05-01 11:10:59 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MINOR: mux_quic: prevent crash on qc_frm_free() with QMux

Browse Source 
qc_frm_free() is a helper used to clean up a QUIC frame object. It is
used by MUX layer both for QUIC and QMux protocols.

This function takes a pointer to the underlying quic_conn, used only for
trace purpose. This patch fixes its usage for QMux to ensure that in
this case a NULL value is used.

No need to backport.
This commit is contained in:
Amaury Denoyelle 2026-04-24 09:30:28 +02:00
parent 7c4eda5b57
commit dde5c26eb1
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/mux_quic.c
View File

@ -2668,7 +2668,7 @@ static int qcs_send_reset(struct qcs *qcs)
LIST_APPEND(&frms, &frm->list);
if (qcc_send_frames(qcs->qcc, &frms, 0)) {
if (!LIST_ISEMPTY(&frms))
qc_frm_free(qcs->qcc->conn->handle.qc, &frm);
qc_frm_free(conn_is_quic(qcs->qcc->conn) ? qcs->qcc->conn->handle.qc : NULL, &frm);
TRACE_DEVEL("cannot send RESET_STREAM", QMUX_EV_QCS_SEND, qcs->qcc->conn, qcs);
return 1;
}
@ -2719,7 +2719,7 @@ static int qcs_send_stop_sending(struct qcs *qcs)
LIST_APPEND(&frms, &frm->list);
if (qcc_send_frames(qcs->qcc, &frms, 0)) {
if (!LIST_ISEMPTY(&frms))
qc_frm_free(qcc->conn->handle.qc, &frm);
qc_frm_free(conn_is_quic(qcc->conn) ? qcc->conn->handle.qc : NULL, &frm);
TRACE_DEVEL("cannot send STOP_SENDING", QMUX_EV_QCS_SEND, qcs->qcc->conn, qcs);
return 1;
}
@ -3493,7 +3493,7 @@ static void qcc_release(struct qcc *qcc)
while (!LIST_ISEMPTY(&qcc->lfctl.frms)) {
struct quic_frame *frm = LIST_ELEM(qcc->lfctl.frms.n, struct quic_frame *, list);
qc_frm_free(qcc->conn->handle.qc, &frm);
qc_frm_free(conn_is_quic(qcc->conn) ? qcc->conn->handle.qc : 0, &frm);
}
qcc_clear_frms(qcc);