BUG/MEDIUM: quic: Wrong use of <token_odcid> in qc_lsntr_pkt_rcv() This commit was not complete: "BUG/MEDIUM: quic: Possible use of uninitialized <odcid> variable in qc_lstnr_params_init()" <token_odcid> should have been directly passed to qc_lstnr_params_init() without dereferencing it to prevent haproxy to have new chances to crash! Must be backported to 2.6.

commit: 7629f5d6709c539c6c9012949411281144c82f53 [log] [tgz]
author: Frédéric Lécaille <flecaille@haproxy.com> Thu Aug 11 18:54:26 2022 +0200
committer: Willy Tarreau <w@1wt.eu> Thu Aug 11 19:12:12 2022 +0200
tree: 8cca98a8cc3470f80ba1a7ca2627278220b381ef
parent: 18d1306abd6578f2d955f67578ff2458795bba95 [diff] [blame]
diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index 83a1aac..7d7ba0b 100644
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c

@@ -4725,8 +4725,7 @@
 	if (server && !qc_lstnr_params_init(qc, &l->bind_conf->quic_params,
 	                                    icid->stateless_reset_token,
 	                                    dcid->data, dcid->len,
-	                                    qc->scid.data, qc->scid.len,
-	                                    token_odcid->data, token_odcid->len))
+	                                    qc->scid.data, qc->scid.len, token_odcid))
 		goto err;
 
 	if (qc_conn_alloc_ssl_ctx(qc) ||
@@ -5774,7 +5773,7 @@
 	if (long_header) {
 		uint64_t len;
 		struct quic_cid odcid;
-		struct quic_cid *token_odcid = NULL; // ODCID received from client token
+		const struct quic_cid *token_odcid = NULL; // ODCID received from client token
 
 		TRACE_PROTO("long header packet received", QUIC_EV_CONN_LPKT, qc);
 		if (!quic_packet_read_long_header(&buf, end, pkt)) {
commit	7629f5d6709c539c6c9012949411281144c82f53	[log] [tgz]
author	Frédéric Lécaille <flecaille@haproxy.com>	Thu Aug 11 18:54:26 2022 +0200
committer	Willy Tarreau <w@1wt.eu>	Thu Aug 11 19:12:12 2022 +0200
tree	8cca98a8cc3470f80ba1a7ca2627278220b381ef
parent	18d1306abd6578f2d955f67578ff2458795bba95 [diff] [blame]