BUG/MINOR: quic: Dereferenced unchecked pointer to Handshke packet number space

This issue was reported by longrtt interop test with quic-go as client and @chipitsine in GH #2282 when haproxy is compiled against libressl. Add two checks to prevent a pointer to the Handshake packet number space to be dereferenced if this packet number space was released. Thank you to @chipitsine for this report. No need to backport.
2025-08-06 07:07:04 +02:00 · 2023-09-06 09:15:55 +02:00 · 2023-09-06 09:15:55 +02:00 · e7240a0ba6
commit e7240a0ba6
parent 700ca14fc1
1 changed files with 4 additions and 2 deletions
--- a/src/quic_tx.c
+++ b/src/quic_tx.c
@ -1339,7 +1339,8 @@ int qc_dgrams_retransmit(struct quic_conn *qc)
 					goto leave;
 				/* Put back unsent frames in their packet number spaces */
 				LIST_SPLICE(&ipktns->tx.frms, &ifrms);
-				LIST_SPLICE(&hpktns->tx.frms, &hfrms);
+				if (hpktns)
+					LIST_SPLICE(&hpktns->tx.frms, &hfrms);
 			}
 			else {
 				/* We are in the case where the anti-amplification limit will be
@ -1357,7 +1358,8 @@ int qc_dgrams_retransmit(struct quic_conn *qc)
 		TRACE_STATE("no more need to probe Initial packet number space",
 					QUIC_EV_CONN_TXPKT, qc);
 		ipktns->flags &= ~QUIC_FL_PKTNS_PROBE_NEEDED;
-		hpktns->flags &= ~QUIC_FL_PKTNS_PROBE_NEEDED;
+		if (hpktns)
+			hpktns->flags &= ~QUIC_FL_PKTNS_PROBE_NEEDED;
 	}
 	else {
 		int i;