BUG/MINOR: mux-quic: fix crash on qcc_init() early return

qcc_release() may be used in case qcc_init() cannot complete. In this case, connection instance is NULL. As such, it cannot be dereferenced without testing it first. This should fix github coverity report #2739. No backport needed.
haproxytech · Oct 2, 2024 · 58b7a72 · 58b7a72
1 parent cea1379
commit 58b7a72
Showing 1 changed file with 9 additions and 6 deletions.
diff --git a/src/mux_quic.c b/src/mux_quic.c
@@ -2626,7 +2626,7 @@ static void qcc_release(struct qcc *qcc)
 {
 	struct connection *conn = qcc->conn;
 	struct eb64_node *node;
-	struct quic_conn *qc = conn->handle.qc;
+	struct quic_conn *qc;
 
 	TRACE_ENTER(QMUX_EV_QCC_END, conn);
 
@@ -2644,11 +2644,14 @@ static void qcc_release(struct qcc *qcc)
 	}
 
 	/* unsubscribe from all remaining qc_stream_desc */
-	node = eb64_first(&qc->streams_by_id);
-	while (node) {
-		struct qc_stream_desc *stream = eb64_entry(node, struct qc_stream_desc, by_id);
-		qc_stream_desc_sub_room(stream, NULL);
-		node = eb64_next(node);
+	if (conn) {
+		qc = conn->handle.qc;
+		node = eb64_first(&qc->streams_by_id);
+		while (node) {
+			struct qc_stream_desc *stream = eb64_entry(node, struct qc_stream_desc, by_id);
+			qc_stream_desc_sub_room(stream, NULL);
+			node = eb64_next(node);
+		}
 	}
 
 	tasklet_free(qcc->wait_event.tasklet);