BUG/MINOR: mux-quic: fix crash on qcs SD alloc failure
Since the following commit, sedesc are created since QCS instantiation
in qcs_new().
086e51017e7731ee9820b882fe6e8cc5f0dd5352
BUG/MEDIUM: mux-quic: Create sedesc in same time of the QUIC stream
However, sedesc is initialized before other QCS mandatory fields. If
sedesc allocation fails, a crash would occur on qcs_free() invocation
for QCS early release. To fix this, delay sedesc allocation until
function end.
This bug was detected using -dMfail.
This should be backported up to 2.6.
(cherry picked from commit 3aded1d3752a12af9b8e48f445218230e6967a06)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 96c254fd3e647f3e519d5ba2c39e8c4a64215bb5)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 408cb66b2a08d39e066d92c9038c7877603f8938)
[cf: No zero-copy forwarding in 2.8]
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
diff --git a/src/mux_quic.c b/src/mux_quic.c
index d36bc62..aca72bf 100644
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@@ -100,14 +100,6 @@
qcs->st = QC_SS_IDLE;
qcs->ctx = NULL;
- qcs->sd = sedesc_new();
- if (!qcs->sd)
- goto err;
- qcs->sd->se = qcs;
- qcs->sd->conn = qcc->conn;
- se_fl_set(qcs->sd, SE_FL_T_MUX | SE_FL_ORPHAN | SE_FL_NOT_FIRST);
- se_expect_no_data(qcs->sd);
-
/* App callback attach may register the stream for http-request wait.
* These fields must be initialed before.
*/
@@ -155,6 +147,14 @@
qcs->err = 0;
+ qcs->sd = sedesc_new();
+ if (!qcs->sd)
+ goto err;
+ qcs->sd->se = qcs;
+ qcs->sd->conn = qcc->conn;
+ se_fl_set(qcs->sd, SE_FL_T_MUX | SE_FL_ORPHAN | SE_FL_NOT_FIRST);
+ se_expect_no_data(qcs->sd);
+
/* Allocate transport layer stream descriptor. Only needed for TX. */
if (!quic_stream_is_uni(id) || !quic_stream_is_remote(qcc, id)) {
struct quic_conn *qc = qcc->conn->handle.qc;