BUG/MINOR: mux-quic: trace with non initialized qcc

haproxyFred · haproxyFred · commit 053c209e74f2 · 2025-08-28T08:15:40.000+02:00
This issue leads to crashes when the QUIC mux traces are enabled and could be
reproduced with -dMfail. When the qcc allocation fails (qcc_init()) haproxy
crashes into qmux_dump_qcc_info() because -&gt;conn qcc member is initialized:

Program terminated with signal SIGSEGV, Segmentation fault.
    at src/qmux_trace.c:146
146             const struct quic_conn *qc = qcc-&gt;conn-&gt;handle.qc;
[Current thread is 1 (LWP 1448960)]
(gdb) p qcc
$1 = (const struct qcc *) 0x7f9c63719fa0
(gdb) p qcc-&gt;conn
$2 = (struct connection *) 0x155550508
(gdb)

This patch simply fixes the TRACE() call concerned to avoid &lt;qcc&gt; object
dereferencing when it is NULL.

Must be backported as far as 3.0.
diff --git a/src/mux_quic.c b/src/mux_quic.c
@@ -3706,7 +3706,7 @@ static int qmux_init(struct connection *conn, struct proxy *prx,
 		conn->ctx = NULL;
 	}
 
-	TRACE_DEVEL("leaving on error", QMUX_EV_QCC_NEW, conn);
+	TRACE_DEVEL("leaving on error", QMUX_EV_QCC_NEW, qcc ? conn : NULL);
 	return -1;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -3706,7 +3706,7 @@ static int qmux_init(struct connection conn, struct proxy prx,`
`3706`	`3706`	`conn->ctx = NULL;`
`3707`	`3707`	`}`
`3708`	`3708`
`3709`		`- TRACE_DEVEL("leaving on error", QMUX_EV_QCC_NEW, conn);`
	`3709`	`+ TRACE_DEVEL("leaving on error", QMUX_EV_QCC_NEW, qcc ? conn : NULL);`
`3710`	`3710`	`return -1;`
`3711`	`3711`	`}`
`3712`	`3712`